b'                                SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                        UNITED STATES DEPARTMENT OF STATE\n                    AND THE BROADCASTING BOARD OF GOVERNORS\n                                 OFFICE OF INSPECTOR GENERAL\n\n\n          AUD-IT-13-15                        Office of Audits                     November 2012\n\n\n\n\n         Audit of International Boundary\n              and Water Commission,\n       United States and Mexico, U.S. Section,\n           Information Security Program\n\n\nIMPORTANT NOTICE: This report is intended solely for the official use of the Department of State or the\nBroadcasting Board of Governors, or any agency or organization receiving a copy directly from the Office of\nInspector General. No secondary distribution may be made, in whole or in part, outside the Department of State\nor the Broadcasting Board of Governors, by them or by other agencies of organizations, without prior\nauthorization by the Inspector General. Public availability of the document will be determined by the Inspector\nGeneral under the U.S. Code, 5 U.S.C. 552. Improper disclosure of this report may result in criminal, civil, or\nadministrative penalties.\n\n\n\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                     SENSITIVE BUT UNCLASSIFIED\n\n\n\n(U) Acronyms\n(U) CM         configuration management\n(U) FISMA      Federal Information Security Management Act\n(U) GIS        Geographic Information System\n(U) GSS        General Support System\n(U) IBWC       United States Section, International Boundary and Water Commission\n(U) IMD        Information Management Division\n(U) IT         information technology\n(U) NIST       National Institute of Standards and Technology\n(U) OIG        Office of Inspector General\n(U) OMB        Office of Management and Budget\n(U) POA&M      Plan of Action and Milestones\n(U) SCADA      Supervisory Control and Data Acquisition\n(U) SP         Special Publication\n\n\n\n\n                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                           SENSITIVE BUT UNCLASSIFIED\n\n\n                                                    (U) Table of Contents\n(U) Section                                                                                                                          (U) Page\n\n(U) Executive Summary ..................................................................................................................1\n\n(U) Background\xe2\x80\xa6. ..........................................................................................................................7\n\n(U) Objective ..................................................................................................................................9\n\n(U) Audit Results ..........................................................................................................................9\n      A. (U) System Inventory .....................................................................................................9\n      B. (U) Risk Management Program ...................................................................................10\n      C. (U) Configuration Management ...................................................................................13\n      D. (U) Incident Response and Reporting ..........................................................................15\n      E. (U) Security Training ...................................................................................................16\n      F. (U) Plan of Action and Milestones ...............................................................................19\n      G. (U) Remote Access ......................................................................................................21\n      H. (U) Identity and Access Management ..........................................................................23\n      I. (U) Continuous Monitoring ..........................................................................................26\n      J. (U) Contingency Planning ............................................................................................29\n      K. (U) Oversight of Contractor System ............................................................................31\n      L. (U) Security Capital Planning ......................................................................................33\n      M. (U) Personnel Security .................................................................................................34\n      N. (U) Physical and Environmental Protection.................................................................36\n\n(U) List of Recommendations........................................................................................................44\n\n(U) Appendices\n      A. (U) Objective, Scope, and Methodology ......................................................................48\n      B. (U) Office of Inspector General FY 2011 Federal Information Security Management\n      Act Report Statuses of Recommendations .........................................................................50\n      C. (SBU) International Boundary and Water Commission Management Response .........55\n\n(U) Major Contributors to This Report ..........................................................................................66\n\n\n\n\n                                           SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n\n                                      (U) Executive Summary\n        (U) In accordance with the Federal Information Security Management Act of 2002, 1\n(FISMA) the Department of State, Office of Inspector General (OIG), conducted an audit of the\nU.S. Section, International Boundary and Water Commission (IBWC), information security\nprogram and practices to determine compliance with Federal laws, regulations, and standards\nestablished by FISMA, the Office of Management and Budget (OMB), and the National Institute\nof Standards and Technology (NIST). In addition, OIG reviewed remedial actions taken by\nIBWC to address control weaknesses identified in OIG\xe2\x80\x99s FY 2011 report Evaluation of the\nUnited States Section, International Boundary and Water Commission, Information Security\nProgram (AUD/IT-12-16, November 2011). IBWC took corrective actions on four of 21\nrecommendations in the FY 2011 report, and OIG considers the recommendations closed. The\nstatuses of the remaining recommendations from OIG\xe2\x80\x99s FY 2011 report are presented in\nAppendix B.\n\n        (U) OIG reviewed systems at IBWC\xe2\x80\x99s U.S. Section headquarters in El Paso, TX; field\noffices in San Diego, CA, Yuma, AZ, and Fort Hancock, TX; and continuity of operations site at\nLas Cruces, NM. Overall, OIG found that IBWC had implemented an information security\nprogram and had made some progress on previously identified weaknesses. However, OIG\nidentified security control weaknesses that, if exploited, could expose IBWC to security\nbreaches. Specifically, the weakened security controls could adversely affect the confidentiality,\nintegrity, and availability of IBWC information and information systems. To improve the\ninformation security program and to bring the program into compliance with FISMA, OMB, and\nNIST requirements, IBWC should address the following 14 security control weaknesses:\n\n    A. (U) System Inventory\n\n        (U) As reported by OIG for FY 2011, 2 IBWC\xe2\x80\x99s inventory management process to update\n        and manage its information technology (IT) assets should be improved. IBWC\xe2\x80\x99s\n        inventory of systems consists of four information systems: the General Support System\n        (GSS), Geographic Information System (GIS), the Nogales Supervisory Control and Data\n        Acquisition (SCADA) system in Arizona, and the San Diego SCADA system in\n        California. IBWC performed an inventory of its hardware and systems during FY 2012;\n        however, because an IBWC official was unaware of a requirement to update system\n        inventory when hardware changes occurred, IBWC could not fully account for all IT\n        assets. IBWC had not fully implemented the IBWC Information Technology System\n        Inventory Guide procedures, which require a complete inventory annually. Without a full\n        system inventory management process for all IT assets, IBWC may not have an accurate\n        accounting of all related system interfaces or underlying support systems and may not be\n        able to properly identify and mitigate security risks.\n\n\n\n1\n (U) E-Government Act of 2002, Pub. L. No. 107-347, tit. III, 116 Stat. 2946 (2002).\n2\n (U) Evaluation of the United States Section, International Boundary and Water Commission, Information Security\nProgram (AUD/IT-12-16, Nov. 2011).\n\n                                                       1\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n\n    B. (U) Risk Management Program\n\n        (U) As reported by OIG for FY 2011, IBWC had not implemented a risk management\n        framework or information security policies and procedures that describe the roles and\n        responsibilities of key participants at the organization and system levels. IBWC had\n        neither developed the enterprise architecture nor integrated the IT Strategic Plan into the\n        budget process as part of the risk management program. Since the enterprise architecture\n        and the strategic plan have not been considered in the risk management program, IBWC\n        may not be requesting funding levels appropriate to the risk exposure. Without the\n        implementation of the risk management strategy at the organizational level, the\n        communication of operations at the system level and funding allocation could be\n        negatively affected because plans have not been developed to deal with risk exposure.\n        As such, management is not fully aware of the security vulnerabilities that exist.\n\n        (SBU) At the information system level, IBWC had not completed the security assessment\n        authorization package for any of the systems. (b) (5)                (b) (5) (b)(b)\n                                                                                         (5)(5)\n\n\n        (b) (5)\n\n\n\n\n                     IBWC officials stated that IBWC was unaware of the requirement to\n        complete the security assessments and authorization package for GIS. The requirement\n        by NIST for updating GSS and the SCADA systems had not been completed because of\n        the lack of available resources. Without a security assessment and authorization in place,\n        IBWC\xe2\x80\x99s risk management framework is weakened and IBWC does not have the ability to\n        assess, address, and monitor information security risk.\n\n    C. (U) Configuration Management\n\n        (SBU) As reported by OIG for FY 2011, IBWC had not implemented effective\n        configuration management (CM) standards and procedures for its IT environment.\n        Although, IBWC had CM standards and procedures in place, IBWC had not implemented\n        a change control process that involved the systematic proposal, justification,\n        implementation, test and evaluation, review, and disposition of changes to the system,\n        including upgrades and modifications. Without implemented procedures that govern the\n        performance of the CM processes, IBWC will not be able to effectively manage the IT\n        security program, which could lead to the introduction of security weaknesses and\n        inconsistent performance.\n\n\n3\n (U) NIST SP 800-37, rev.1, \xe2\x80\x9cGuide for Applying the Risk Management Framework to Federal Information\nSystems,\xe2\x80\x9d Feb. 2010.\n\n                                                     2\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n\n    D. (U) Incident Response and Reporting\n\n        (U) IBWC\xe2\x80\x99s incident response and reporting did not fully comply with NIST SP 800-53,\n        Revision 3. 4 Specifically, IBWC had not updated its incident response policy and\n        procedures to reflect changes made to its reporting documentation. An IBWC official\n        stated that the incident report template had been updated but had not been incorporated\n        into the incident response and reporting procedures. Lack of an updated procedure may\n        prevent IBWC from reporting security incidents to appropriate authorities.\n\n    E. (U) Security Training\n\n        (U) As reported by OIG for FY 2011, IBWC had not trained all employees and\n        contractors as required by its security awareness training program. At the time of OIG\xe2\x80\x99s\n        fieldwork conducted in April 2012, IBWC employees had not completed their general\n        security awareness training, and not all employees with significant security\n        responsibilities had completed their specialized training. However, 5 months remained in\n        the fiscal year during which IBWC could have satisfactorily fulfilled the training\n        requirements. Although IBWC had acquired a security awareness training product in\n        April 2012, an IBWC official stated that the product had not been implemented. Without\n        the completion of initial and annual security awareness training, personnel may be\n        unaware of new risks that may compromise the confidentiality, integrity, and availability\n        of data. Employees with significant security responsibilities who are not properly trained\n        create a risk for IBWC because they may present vulnerabilities or may cause security\n        breaches.\n\n    F. (U) Plan of Action and Milestones\n\n        (SBU) As reported by OIG for FY 2011, IBWC had not fully implemented an effective\n        Plan of Action & Milestone (POA&M) process. Although IBWC had made\n        improvements in its POA&M process by including details of the estimated resource\n        requirements and corrective action plans to close the POA&M deficiencies, as required in\n        the OMB template, OIG determined that POA&Ms (1) did not include all vulnerabilities,\n        (2) did not demonstrate that milestones were being effectively addressed to update the\n        status of changes, and, (3) were not always reviewed by the Chief Information Officer.\n        IBWC had not determined the security weaknesses for GIS and the SCADA systems\n        because IBWC had not completed the necessary security documents identifying the\n        security controls in place and those that required improvement. System security plans\n        and an independent assessment (Security Test and Evaluation report) would identify the\n        controls that are in place and those that are either missing or deficient (are not up to the\n        standard required by Federal Information Processing Standards [FIPS] Publication 199 5\n        levels of potential impact on organizations associated with the system). The absence of\n\n4\n  (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems and\nOrganizations,\xe2\x80\x9d IR-1 through IR-8, Aug. 2009 (last updated May 2010).\n5\n  (U) FIPS 199, \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d Feb.\n2004.\n\n                                                        3\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n          these security documents indicated to OIG that IBWC had not conducted the necessary\n          testing of GIS and the SCADA systems; therefore, IBWC was unable to identify the\n          weaknesses requiring remediation. Additionally, IBWC was conducting periodic security\n          scans of GSS, but the weaknesses that were identified in those scans were also not being\n          recorded in the POA&Ms. Without periodic updates and reviews of POA&M activities\n          and/or completion of necessary security tests and evaluations, IBWC management may\n          be unaware of the statuses of security vulnerabilities or of associated corrective actions.\n\n      G. (U) Remote Access\n\n          (SBU) As reported by OIG for FY 2011, IBWC had not finalized and implemented its\n          remote access policy and procedures to comply with the requirements in NIST SP 800-\n          53, Revision 3. 6 (b) (5)\n                                                                         An IBWC official stated\n          that the access control policy and procedures document contained procedures for remote\n          access, but OIG determined that the procedures still required review and formal approval\n          by IBWC management. Further, an IBWC official stated that controls had not been fully\n          implemented for remote access because of a lack of resources.\n\n          (SBU) In addition, IBWC did not have a wireless policy and procedure in place\n          for establishing usage restrictions and implementation guidance for wireless\n          access, monitoring for unauthorized wireless access to the information\n          system, authorizing wireless access to the information system prior to connection,\n          or enforcing requirements for wireless connections to the information system. Without\n          proper controls in place, unauthorized activities can occur without timely detection,\n          which could adversely impact confidentiality, integrity, and availability of the data.\n\n      H. (U) Identity and Access Management\n\n          (SBU) IBWC had not implemented its identity and access management process.\n          Although IBWC had an Identification and Authentication Policy and Procedure, the\n          policy had not been reviewed and updated to reflect changes since 2009. OIG\n          determined that the personal identity verification cards were configured to the network\n          prior to any testing or assessment performed, as required by OMB Memorandum M-04-\n          04. 7 However, a risk assessment identifying the risk to the system security had not been\n          performed. An IBWC official stated that no formal risk assessment had been performed\n          prior to the implementation of the personal identity verification card because IBWC was\n          not aware that a requirement needed to be completed. Inadequate identity and access\n          management controls increase the risk that accounts may be accessed and used by\n          individuals to perform unauthorized activities.\n\n\n\n\n6\n    (U) NIST SP 800-53, rev. 3, AC-17 \xe2\x80\x9cRemote Access,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n7\n    (U) OMB Memorandum M-04-04, \xe2\x80\x9cE-Authentication Guidance for Federal Agencies,\xe2\x80\x9d Dec. 16, 2003.\n\n                                                      4\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\n\nI. (U) Continuous Monitoring\n\n   (SBU) As reported by OIG for FY 2011, IBWC had not fully implemented a continuous\n   monitoring program of its IT systems. During 2012, IBWC had assessed and installed a\n   vulnerability management tool to perform automated routine security assessments of its\n   system environment. However, IBWC manually initiated the vulnerability scans on its\n   enterprise network because of configuration issues between the vulnerability\n   management tool and the network. In addition, IBWC had not developed a formal\n   process to include performing periodic vulnerability scans on its enterprise network,\n   reviewing firewall logs, monitoring unauthorized devices, and, tracking centrally\n   vulnerability results. An IBWC official stated that because of limited resources there\n   were no documented policies and procedures detailing the strategy and plans for\n   conducting continuous monitoring activities that included scanning routinely for\n   vulnerabilities, monitoring logs, and notifying appropriate officials of unauthorized\n   devices. Without periodic reviews or the performance of risk-based security assessments,\n   new threats and vulnerabilities may not be identified and mitigated in a timely manner.\n\nJ. (U) Contingency Planning\n\n   (SBU) As reported by OIG for FY 2011, significant improvements were needed to\n   strengthen the IBWC contingency planning process. Although IBWC had documented a\n   contingency plan for GSS and had configured an automated backup process for the\n                                                                           (b) (5)\n   headquarters and field offices, (b) (5)\n\n\n\n\nK. (U) Oversight of Contractor System\n\n   (U) As reported by OIG for FY 2011, IBWC had not implemented an effective oversight\n   program of its contractor system. IBWC\xe2\x80\x99s San Diego field office did not have\n   documented policies and procedures for IBWC\xe2\x80\x99s oversight of systems operated by\n   contractors and did not include the SCADA operations within IBWC\xe2\x80\x99s IT boundaries.\n   An IBWC official stated that IBWC was aware of the deficiencies and was working to\n   address the issues. OIG determined that IBWC officials did not have adequate control\n   over the IT functions at the San Diego wastewater treatment plant or over the IT assets\n   purchased and maintained by the contractor in support of operations. Without proper\n   oversight, there is an increased risk that data collected, processed, and maintained could\n   be exposed to unauthorized access, use, disclosure, disruption, modification, or\n   destruction.\n\n\n\n\n                                            5\n\n                         SENSITIVE BUT UNCLASSIFIED\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\n\nL. (U) Security Capital Planning\n\n   (U) As reported by OIG for FY 2011, information security was not integrated into\n   IBWC\xe2\x80\x99s Capital Planning and Investment Control process. IBWC did not provide OMB\n   with a detailed explanation for the major investment related to its IT capital investment.\n   An IBWC official stated that because of the small size of the organization, IBWC\n   officials believed IBWC budget requirements did not meet the level established for\n   reporting to OMB. Lack of planning increases the risk that requests for funding\n   investments will not receive proper consideration.\n\nM. (U) Personnel Security\n\n   (SBU) As reported by OIG for FY 2011, IBWC had developed its personnel security\n   program but needed to continue making improvements to its implementation of the\n   program because of weaknesses identified by OIG in FY 2011. OIG determined that\n   overall progress had been made toward the implementation of an effective personnel\n   security program. An IBWC official stated that the review process was still ongoing\n   because of limited resources. However, without fully investigating each employee\'s\n   background, followed by the adjudication process and subsequent clearance, the potential\n   existed for IBWC to employ personnel who were not adequately qualified for selected\n   positions. In addition, employees may be granted inappropriate administrator\n   permissions to access IBWC information technology and physical assets.\n\nN. (U) Physical and Environmental Protection\n\n   (SBU) As reported by OIG for FY 2011, significant improvements were necessary for\n   IBWC to strengthen its physical and environmental protection controls of organizational\n   assets. Although IBWC had implemented a manual log process for IBWC San Diego\n   contractors to account for the entry and exit of Mexican trucks through the international\n   boundary gate (b) (5)\n\n\n\n   (SBU) IBWC did not enforce physical access authorizations to the information system\n   independent of the physical access controls for the facility. Although physical access\n   controls were in place at the plant, (b) (5)\n\n\n\n\n                                            6\n\n                         SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n        (U) Based on fieldwork completed in 2012, OIG made 31 recommendations and\nidentified six significant security deficiencies requiring immediate attention as follows:\n\n         \xe2\x80\xa2   (SBU) IBWC had not implemented a risk management framework or information\n             security policies and procedures that describe the roles and responsibilities of key\n             participants at the organization and system levels. (Finding B)\n         \xe2\x80\xa2   (SBU) IBWC had not implemented effective CM standards and procedures for its IT\n             environment. (Finding C)\n         \xe2\x80\xa2   (U) IBWC had not fully implemented an effective POA&M process. (Finding F)\n         \xe2\x80\xa2   (U) IBWC had not fully implemented a continuous monitoring program of its IT\n             systems. (Finding I)\n         \xe2\x80\xa2   (U) IBWC\xe2\x80\x99s San Diego field office had not documented policies and procedures for\n             oversight of its systems operated by contractors and did not include the SCADA\n             systems operations within its IT boundaries. (Finding K)\n         \xe2\x80\xa2   (SBU) IBWC had implemented a manual log process for IBWC San Diego\n             contractors to monitor and track Mexican trucks moving through the international\n             boundary gate, (b) (5)\n\n\n\n      (U) In October 2012, OIG provided a draft of this report to IBWC. Based on IBWC\xe2\x80\x99s\nOctober 30, 2012, response to the report\xe2\x80\x99s 31 recommendations, OIG considers all of the\nrecommendations resolved, pending further action.\n\n       (U) IBWC\xe2\x80\x99s responses to each recommendation and OIG\xe2\x80\x99s replies to these responses are\npresented after each recommendation. (IBWC\xe2\x80\x99s response is in Appendix C.)\n\n                                              (U) Background\n       (U) IBWC is an international organization created in 1889 by the Governments of the\nUnited States and Mexico to administer the boundary and water rights treaties and agreements\nbetween the two countries.\n\n        (U) The entity was created as the International Boundary Commission by the Convention\nof 1889 8 and given its current name under the Treaty of 1944. 9 IBWC consists of the U. S.\nSection and the Mexican Section, which have their headquarters in the adjoining cities of El\nPaso, TX, and Ciudad Ju\xc3\xa1rez, Chihuahua, respectively. Although IBWC is an independent\ninternational entity, the U. S. Section takes direction from the Department of State on matters\nrelated to foreign policy. The Mexican Section is a unit in the Mexican Ministry of Foreign\nAffairs.\n\n8\n  (U) The Convention of March 1, 1889, was held to address the difficulties caused by natural changes that take\nplace in the beds of the Rio Grande and Colorado Rivers. U.S.-Mex., Mar. 1, 1889, 26 Stat. 1512 (extended\nindefinitely by Article II of the treaty signed Feb. 3, 1944, 59 Stat. 1219).\n9\n  (U) Utilization of Waters of the Colorado and Tijuana Rivers and of the Rio Grande, U.S.-Mexico, art. II, Feb. 3,\n1944, 59 Stat. 1219.\n\n                                                         7\n\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n        (U) Through a series of treaties and agreements, IBWC is charged with the application,\nregulation, and exercise of the provisions of such treaties and agreements for the solution of\nwater and boundary issues along the 1,954-mile border between the two countries. The U. S.\nSection of IBWC operates under the provisions of 22 U.S.C. 277. 10 The joint mission of the U.\nS. Section and the Mexican Sections is as follows:\n\n        \xe2\x80\xa2   (U) Distribute the waters of the boundary-rivers between the two countries.\n        \xe2\x80\xa2   (U) Operate international flood control along the boundary-rivers.\n        \xe2\x80\xa2   (U) Operate the international reservoirs for conservation and regulation of Rio\n            Grande waters for the two countries.\n        \xe2\x80\xa2   (U) Improve the quality of water of international rivers.\n        \xe2\x80\xa2   (U) Resolve border sanitation issues.\n        \xe2\x80\xa2   (U) Develop hydroelectric power.\n        \xe2\x80\xa2   (U) Establish the boundary in the area limitrophe to (bordering) the Rio Grande.\n        \xe2\x80\xa2   (U) Demarcate the land boundary.\n\n    (U) The FISMA was enacted into law as Title III, Public Law Number 107-347 on December\n17, 2002. Key requirements of FISMA are as follows:\n\n        \xe2\x80\xa2   (U) The establishment of an agency-wide information security program to provide\n            information security for the information and information systems that support the\n            operations and assets of the agency, including those provided or managed by another\n            agency, contractor, or other source.\n        \xe2\x80\xa2   (U) An annual independent evaluation of the agency\xe2\x80\x99s information security programs\n            and practices.\n        \xe2\x80\xa2   (U) An assessment of compliance with FISMA requirements.\n\n        (U) FISMA recognized the importance of information security to the economic and\nnational security interests of the United States. As required by FISMA, each Federal agency\nshould develop, document, and implement an agency-wide program to provide information\nsecurity for the information systems that support the operations and assets of the agency,\nincluding information and information systems provided or managed by another agency,\ncontractor, or source. Additionally, FISMA provides a comprehensive framework for\nestablishing and ensuring the effectiveness of management, operational, and technical controls\nover IT that supports Federal operations and assets, and it provides a mechanism for improved\noversight of Federal agency information security programs.\n\n        (U) The Act 11 assigns specific responsibilities to Federal agencies, NIST, OMB, and the\nDepartment of Homeland Security 12 to strengthen information system security. In particular,\nFISMA requires the head of each agency to implement policies and procedures to cost\neffectively reduce IT security risks to an acceptable level. To ensure the adequacy and\n10\n   (U) 22 U.S.C. \xc2\xa7 277, \xe2\x80\x9cInternational Boundary Commission, United States and Mexico; study of boundary waters.\xe2\x80\x9d\n11\n   (U) E-Government Act of 2002, Pub. L. No. 107-347, tit. III, 116 Stat. 2946 (2002).\n12\n   (U) OMB Memorandum M-10-28, \xe2\x80\x9cClarifying Cybersecurity Responsibilities and Activities of the Executive\nOffice of the President and the Department of Homeland Security (DHS), July 6, 2010.\n\n                                                       8\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n\neffectiveness of information system controls, FISMA requires agency program officials, chief\ninformation officers, chief information security officers, senior agency officials for privacy, and\ninspectors general to conduct annual reviews of the agency\xe2\x80\x99s information security program and\nreport the results to the Department of Homeland Security.\n\n                                                  (U) Objective\n        (U) The objective of this audit was to determine the effectiveness of IBWC information\nsecurity program and practices.\n\n                                               (U) Audit Results\n        (U) Overall, OIG found that IBWC had implemented an information security program;\nhowever, OIG identified weaknesses that, if exploited, could significantly impact the information\nsecurity program controls and expose IBWC to security breaches. The weakened security\ncontrols could also adversely affect the confidentiality, integrity, and availability of information\nand information systems. To improve the information security program and to bring the program\ninto compliance with FISMA, OMB, and NIST requirements, OIG determined that IBWC should\naddress the 14 control weaknesses described.\n\nA. (U) System Inventory\n        (U) As reported by OIG for FY 2011, IBWC\xe2\x80\x99s inventory management process to update\nand manage its information technology (IT) assets needed to be improved. IBWC\xe2\x80\x99s inventory of\nsystems consisted of four information systems: GSS, GIS, and the SCADA systems, which are\nalso known as Industrial Control Systems. GSS and GIS are operated at the IBWC headquarters\nin El Paso, and the two SCADA systems are located in San Diego, and Nogales. IBWC had\nperformed an inventory of its hardware and systems during FY 2012; however, OIG found that\nIBWC had not fully accounted for all IT assets. OIG determined that the IBWC inventory had\nlisted components associated only with GSS and GIS. OIG identified components in the server\nroom and in the wiring rooms of the first and third floors at the headquarters in El Paso, in the\nfield office in Fort Hancock, and at the site in Las Cruces, that were not recorded in the\ninventory. In addition, OIG determined that IBWC had not included the SCADA systems\noperated at the IBWC Nogales field office and the San Diego wastewater treatment plant in the\ninventory listing.\n\n        (U) FISMA requires the heads of each agency to develop and maintain an inventory of\nmajor information systems operated by or under the agency\xe2\x80\x99s control and to identify information\nsystems in an inventory. The inventory should, also include interfaces between each system and\nother systems or networks not operated by or under the control of the agency. 13\n\n        (U) IBWC officials stated that they were unaware of the FISMA requirement to update\nthe system inventory when hardware changes occurred. Without a full system inventory of IT\n\n13\n     (U) E-Government Act of 2002, Pub. L. No. 107-347, tit. III, 116 Stat. 2946 (2002).\n\n                                                           9\n\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\nassets, including the SCADA systems and changes to assets, IBWC did not have an accurate\naccounting of all related system interfaces or underlying support systems and was not able to\nproperly identify and mitigate security risks. As a result, critical management processes such as\nstrategic planning, budgeting, system administration, patch management, and resource\nmanagement, could be adversely affected.\n\n        (U) Recommendation 1. OIG recommends that the Chief Information Officer conduct\n        an inventory to identify all information technology assets, including Supervisory Control\n        and Data Acquisition systems for International Boundary and Water Commission.\n\n        (U) Management Response: IBWC concurred with the recommendation, stating that its\n        \xe2\x80\x9cInformation Management Division (IMD) is implementing a comprehensive IT asset\n        inventory to fully account for all IT assets\xe2\x80\x9d within the GSS (and Major application GIS),\n        SBIWTP Veolia, SBIWTP SCADA, and Nogales SCADA.\n\n        (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n        be closed when OIG reviews and approves documentation showing that IBWC has\n        conducted a complete inventory of all IBWC IT assets.\n\n        (U) Recommendation 2. OIG recommends that the Chief Information Officer conduct\n        an annual inventory of information technology assets and update the full system\n        inventory when changes are made to those information systems operated by or under the\n        control of the International Boundary and Water Commission (IBWC) or by third-party\n        contractors or agencies on behalf of IBWC, as required by the Federal Information\n        Security Management Act.\n\n        (U) Management Response: IBWC concurred with the recommendation, stating that\n        \xe2\x80\x9can IBWC System inventory was completed in 2012\xe2\x80\x9d and that it would \xe2\x80\x9cbe conducting an\n        annual inventory of all four systems in 2013.\xe2\x80\x9d IBWC further stated that the process for\n        conducting these inventories was being developed.\n\n        (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n        be closed when OIG reviews and approves documentation showing that IBWC has\n        completed an annual inventory of all IBWC IT assets.\n\nB. (U) Risk Management Program\n       (U) As reported by OIG for FY 2011, IBWC had not implemented a risk management\nframework to include information security policies and procedures that describe the roles and\nresponsibilities of key participants at the organization and system levels. OIG determined that\nIBWC had not taken corrective actions to develop a risk management framework and did not\nhave a governance structure in place to determine whether IBWC had effectively managed\ninformation security risk. As stated in NIST SP 800-37, Revision 1, 14 the risk management\n\n14\n  (U) NIST SP 800-37, rev.1, \xe2\x80\x9cGuide for Applying the Risk Management Framework to Federal Information\nSystems\xe2\x80\x9d - 2.1 \xe2\x80\x9cIntegrated Organization-Wide Risk Management,\xe2\x80\x9d Feb. 2010.\n\n                                                    10\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\nframework is essential to IBWC because it addresses risk from an organizational perspective\nwith the development of a comprehensive governance structure and organization-wide risk\nmanagement strategy.\n\n         (U) In addition, IBWC had not developed an IT strategic plan or enterprise architecture\nthat showed the IT goals for the organization or linked the strategic goals and objectives to the\ndefined business functions. An IBWC official stated that IBWC had planned to incorporate its\nIT strategic plan funding requirements into the FY 2014 organizational budget request which is\nunder development and would include all IBWC IT security investments. NIST SP 800-37 15\nstates that it is essential to prioritize \xe2\x80\x9cmissions and business processes with respect to the goals\nand objectives of the organization.\n\n        (U) Without the implementation of the risk management strategy at the organizational\nlevel, operations at the system level could be negatively affected. Specifically, management may\nbe unaware of existing security vulnerabilities, and associated funding allocations may not be\nadequately determined to address those vulnerabilities.\n\n       (SBU) At the information system level, IBWC had not completed the Security\nAssessment Authorization package as required by NIST SP 800-82 16 and NIST SP 800-53,\nRevision 3 17 for any of its three systems. Specifically, OIG determined the following\nweaknesses in the risk management program:\n\n        \xe2\x80\xa2    (SBU) The GSS Authorization to Operate had expired, and no Authorization to\n             Operate existed for GIS and the SCADA systems. An Authorization to Operate\n             provides verification that an authorizing official has accepted identified risks with the\n             systems. According to an IBWC official, all systems were in the production\n             environment.\n        \xe2\x80\xa2    (SBU) Risk assessments, as required by NIST SP 800-37, Revision 1, 18 had not been\n             conducted for GSS, GIS, and the SCADA systems. However, site assessments for the\n             SCADA systems were performed for Nogales and San Diego.\n        \xe2\x80\xa2    (SBU) The GSS System Security Plan was being updated to reflect the changes that\n             had occurred since the last System Security Plan was certified by the Chief\n             Information Officer in April 2007. A System Security Plan had not been completed\n             for GIS and the SCADA systems.\n        \xe2\x80\xa2    (SBU) For all four systems, IBWC did not perform a Security Test and Evaluation,\n             which is a security assessment report supporting the independent assessor\xe2\x80\x99s\n             evaluation of management, operational, and technical controls.\n\n\n15\n   (U) Ibid.\n16\n   (U) NIST SP 800-82, \xe2\x80\x9cGuide to Industrial Control Systems (ICS) Security,\xe2\x80\x9d sec. 6.1.1, \xe2\x80\x9cSecurity Assessment and\nAuthorization,\xe2\x80\x9d June 2011.\n17\n   (U) NIST SP 800-53, rev. 3: \xe2\x80\x9cCA-2 Security Assessments,\xe2\x80\x9d \xe2\x80\x9cCA-6 Security Authorization,\xe2\x80\x9d and \xe2\x80\x9cSA-11\nDeveloper Security Testing,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n18\n   (U) NIST SP 800-37, rev.1, \xe2\x80\x9cGuide for Applying the Risk Management Framework to Federal Information\nSystems,\xe2\x80\x9d sec. 3.5, \xe2\x80\x9cRMF Step 5 - Authorize Information System,\xe2\x80\x9d Feb. 2010.\n\n                                                       11\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n        (U) IBWC had not effectively followed guidelines contained in NIST SP 800-37,\nRevision 1, 19 for completion of the security assessment and authorization packages. An IBWC\nofficial stated that IBWC was unaware of the NIST requirement to complete the security\nassessments and authorization package for the GIS system. Further, the IBWC official stated\nthat the requirement for updating GSS and the SCADA systems had not been completed because\nof a lack of available resources. Without a security assessment and authorization in place,\nIBWC\xe2\x80\x99s risk management framework has been weakened and IBWC does not have the ability to\nassess, address, and monitor information security risk.\n\n        (U) Recommendation 3. OIG recommends that the Chief Information Officer develop a\n        risk management strategy, which includes the information technology strategic plan and\n        the enterprise architecture at the organizational level, for assessing, addressing, and\n        monitoring information security risks, as required by National Institute of Standards and\n        Technology Special Publication 800-37, Revision 1.\n\n        (U) Management Response: IBWC concurred with the recommendation, stating that a\n        draft form of the risk management framework policy and procedure was available and\n        that staff would internally review the draft by November 30, 2012.\n\n        (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n        be closed when OIG reviews and approves documentation showing that IBWC has\n        reviewed and approved the risk management framework policy and procedure.\n\n        (U) Recommendation 4. OIG recommends that the Chief Information Officer complete\n        the security documents and the testing of International Boundary and Water Commission\n        information technology assets.\n\n        (SBU) Management Response: IBWC agreed with the recommendation, stating that an\n        updated System Security Plan for the GSS system was available for review and the\n        System Architecture and Design Requirements documentation would be used to help\n        create the System Security Plan required for GIS before it goes into full production.\n        IBWC also stated that it was reviewing upgrades to the systems specified.\n\n        (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n        be closed when OIG reviews and approves documentation showing that IBWC\n        developed, tested, and obtained management approval of the security documents\n        specified.\n\n        (SBU) Recommendation 5. OIG recommends that the Chief Information Officer\n        develop the security assessment and authorization packages for the Geographic\n        Information System and Supervisory Control and Data Acquisition systems and update\n        the security assessment and authorization package for the General Support System, as\n\n\n19\n (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cCA-2 Security Assessments, CA-6 Security Authorization, RA-3 Risk Assessment\xe2\x80\x9d\nAug. 2009 (last updated May 2010).\n\n                                                    12\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n       required by National Institute of Standards and Technology Special Publication (NIST\n       SP) 800-53, Revision 3 and NIST SP 800-82.\n\n       (U) Management Response: IBWC concurred with the recommendation, stating that\n       IMD would \xe2\x80\x9cdevelop the necessary security assessments and authorization packages for\n       the GIS and SCADA systems and update the GSS authorization package as part of FY\n       2013 priorities.\xe2\x80\x9d\n\n       (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n       be closed when OIG reviews and approves documentation showing that IBWC\n       developed, tested, and obtained management approval for the security documents as\n       required.\n\n       (U) Recommendation 6. OIG recommends that the Chief Information Officer improve\n       existing procedures to ensure security assessment and authorization packages, system\n       security plans, and security assessment reports are updated, as required by National\n       Institute of Standards and Technology Special Publication (NIST SP) 800-37, Revision 1\n       and NIST SP 800-53, Revision 3.\n\n       (U) Management Response: IBWC concurred with the recommendation, stating that\n       the risk management framework draft being reviewed \xe2\x80\x9cprovides a specific time frame for\n       the Assessment and Authorization (A&A) processes\xe2\x80\x9d and for \xe2\x80\x9cthe regular update and\n       acceptance of System Security plans and Security Assessments.\xe2\x80\x9d\n\n       (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n       be closed when OIG reviews and approves documentation showing that IBWC has\n       developed, tested, and obtained management approval of the security documents as\n       required.\n\n       (U) Recommendation 7. OIG recommends that the Chief Information Officer ensure\n       that annual security assessments of a subset of a system\xe2\x80\x99s security controls are conducted,\n       as required by National Institute of Standards and Technology Special Publication 800-\n       37, Revision 1.\n\n       (U) Management Response: IBWC concurred with the recommendation, stating that it\n       is conducting \xe2\x80\x9ca risk assessment and pen test\xe2\x80\x9d on its GSS system.\n\n       (SBU) OIG Reply: OIG considers the recommendation resolved. The recommendation\n       can be closed when OIG reviews and approves documentation showing that IBWC has\n       developed, tested, and obtained management approval of the security documents as\n       required.\n\nC. (U) Configuration Management\n        (SBU) As reported by OIG for FY 2011, IBWC had not implemented effective CM\npolicy and procedures for its IT environment. Although IBWC had CM policy and procedures in\n\n\n                                               13\n\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\nplace, IBWC had not accounted for the patch management process to evaluate and approve\npatches for application, installation, oversight, and review of the patch status on the systems.\nOIG determined that responsibility for the implementation of configuration changes and updates\nto the baseline configuration for the systems, operating systems, databases, network, and patch\ninstallation was distributed among the various IT personnel without controls to ensure\ncompliance as required by NIST SP 800-53, Revision 3. 20 Specifically, OIG determined that\nIBWC had not implemented a change control process that involves the systematic proposal,\njustification, implementation, test, evaluation, review, and disposition of changes to the system,\nincluding upgrades and modifications. Further, IBWC had not maintained control over all\nhardware connected to its SCADA system at the San Diego wastewater treatment plant, which is\noperated by contractors.\n\n       (U) According to NIST SP 800-53, Revision 3, 21 \xe2\x80\x9csecurity controls are the management,\noperational, and technical safeguards or countermeasures employed within an organizational\ninformation system to protect the confidentiality, integrity, and availability of the system and its\ninformation.\xe2\x80\x9d\n\n       (U) This guidance states that organizations should develop and maintain a \xe2\x80\x9cformal,\ndocumented configuration management policy that addresses purpose, scope, roles,\nresponsibilities, management commitment, coordination among organizational entities, and\ncompliance\xe2\x80\x9d with documented procedures for implementation of the policy that an organization\nshould review, approve, document, audit, and provide oversight for CM controls for information\nsystems.\n\n       (U) NIST standards require that the organization report, test, and correct potential CM\nproblems, identifies, reports, and corrects information system flaws; and incorporates flaw\nremediation into the organizational configuration management process. 22 NIST SP 800-40,\nVersion 2.0, states that remediation testing guidelines indicate that patches and configuration\nmodifications should be tested on non-production systems since remediation can easily produce\nunintended consequences. 23\n        (U) An IBWC official stated that CM policy and procedures were currently being\nupdated to include the patch management process. An IBWC official also stated that a test\nenvironment did not exist for testing of configuration changes and patches. Without\nimplemented procedures that govern the performance of the CM process, IBWC may not be able\nto effectively manage the IT security program, which could lead to the introduction of security\nweaknesses and inconsistent performance.\n\n\n\n20\n   (U) NIST SP 800-53, rev. 3, CM-1 \xe2\x80\x9cConfiguration Management Policy and Procedure,\xe2\x80\x9d CM-2 \xe2\x80\x9cBaseline\nConfigurations,\xe2\x80\x9d CM-3 \xe2\x80\x9cConfiguration Change Control,\xe2\x80\x9d CM-4 \xe2\x80\x9cSecurity Impact Analysis,\xe2\x80\x9d and CM-5 \xe2\x80\x9cAccess\nRestrictions for Change\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n21\n   (U) NIST SP 800-53, rev. 3, ch. 1, \xe2\x80\x9cIntroduction,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n22\n   (U) NIST SP 800-53, rev. 3, SI-2 \xe2\x80\x9cFlaw Remediation\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n23\n   (U) NIST SP 800-40, ver. 2.0, \xe2\x80\x9cCreating a Patch and Vulnerability Management Program,\xe2\x80\x9d sec. 2.6, \xe2\x80\x9cTesting\nRemediations,\xe2\x80\x9d Nov. 2005.\n\n                                                      14\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n        (U) Recommendation 8. OIG recommends the Chief Information Officer develop and\n        implement configuration management and testing procedures including, but not limited\n        to, patch management and periodic assessments of compliance with the implemented\n        procedures, as required by National Institute of Standards and Technology (NIST)\n        Special Publication (SP) 800-53, Revision 3, and NIST SP 800-40, Version 2.0.\n\n        (U) Management Response: IBWC concurred with the recommendation, stating that\n        \xe2\x80\x9cexisting procedures for patch management\xe2\x80\x9d are being documented and tested for\n        inclusion in the existing CM policy and procedure and that it expects an approved update\n        to the existing CM policy by March 2013.\n\n        (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n        be closed when OIG reviews and approves documentation showing that IBWC has\n        developed and implemented configuration management and testing procedures as\n        required.\n\n        (U) Recommendation 9. OIG recommends that the Chief Information Officer develop\n        and implement procedures for the oversight of all systems and hardware including, but\n        not limited to, patch management and periodic assessments of compliance with\n        implemented procedures that are part of the International Boundary and Water\n        Commission operations, as required by National Institute of Standards and Technology\n        Special Publication 800-53, Revision 3.\n\n        (U) Management Response: IBWC concurred with the recommendation, stating that it\n        would begin to develop similar CM policy and procedure for all systems that are part of\n        the IBWC operations and expects to have draft policy in place by March 2013.\n\n        (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n        be closed when OIG reviews and approves documentation showing that IBWC has\n        developed and implemented procedures for the oversight of all systems and hardware as\n        required.\n\nD. (U) Incident Response and Reporting\n       (U) OIG found that IBWC\xe2\x80\x99s incident response and reporting did not fully comply with\nprovisions of NIST SP 800-53, Revision 3. 24 Specifically, IBWC had not updated its incident\nresponse policy and procedure to reflect changes made to its reporting documentation.\n\n        (U) NIST SP 800-53, Revision 3, 25 states:\n\n        (U) The organization develops, disseminates, and reviews/updates [Assignment:\n        organization defined frequency]:\n\n24\n  (U) NIST SP 800-53, rev. 3, IR-1 through IR-8, Aug. 2009 (last updated May 2010).\n25\n  (U) NIST SP 800-53, rev. 3, IR-1 \xe2\x80\x9cIncident Response Policy and Procedures.\xe2\x80\x9d Aug. 2009 (last updated May\n2010).\n\n                                                      15\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\n               a. (U) A formal, documented incident response policy that addresses purpose,\n                  scope, roles, responsibilities, management commitment, coordination among\n                  organizational entities, and compliance; and\n               b. (U) Formal, documented procedures to facilitate the implementation of the\n                  incident response policy and associated incident response controls.\n\n        (U) An IBWC official stated that the incident report template had been updated but that\nthe template had not been incorporated in the incident response and reporting procedures. The\nlack of updated procedures may prevent IBWC from reporting security incidents to appropriate\nauthorities.\n\n           (U) Recommendation 10. OIG recommends the Chief Information Officer incorporate\n           the updated incident report template into the incident response and reporting procedures\n           and periodically assess compliance with the procedures, as required by National Institute\n           of Standards and Technology Special Publication 800-53, Revision 3.\n\n           (U) Management Response: IBWC concurred with the recommendation, stating that an\n           updated incident report template has been uploaded to the \xe2\x80\x9cexisting draft Incident\n           Response Policy & Procedures . . . being updated to the new directives format initiated by\n           IBWC\xe2\x80\x9d and that the draft would be \xe2\x80\x9ccompleted, reviewed, and staffed by December 2012\n           for re-approval by the Commissioner.\xe2\x80\x9d\n\n           (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n           be closed when OIG reviews and approves documentation showing that IBWC has\n           incorporated the updated incident report template into the incident response and reporting\n           procedures and that it periodically assesses compliance with the procedures as required.\n\nE. (U) Security Training\n        (U) As reported by OIG for FY 2011, IBWC had not trained all employees and\ncontractors as required by its security awareness training program. IBWC developed a draft\nsecurity awareness training policy and procedures that included sanctions for employees who\nfailed to take and complete IT security awareness training. OIG determined that IBWC\nemployees had not completed the required security awareness training and that not all employees\nwith significant security responsibilities had completed their specialized training, as of April 27,\n2012. When OIG completed on-site verification in April 2012, IBWC had not started its annual\ntraining of employees and contractors. No IBWC employees or contractors had completed the\nrequired annual training; however, at that time, 5 months remained in the fiscal year during\nwhich IBWC staff could have completed the training. Although IBWC\xe2\x80\x99s security awareness\ntraining program required all personnel to complete annual security awareness training and users\nwith significant security responsibilities to complete specialized training, OIG determined that\nIBWC did not require new employees to complete initial security awareness training prior to\naccessing information systems, as required by NIST SP 800-53, Revision 3. 26\n\n\n26\n     (U) NIST SP 800-53, rev. 3, AT-2 \xe2\x80\x9cSecurity Awareness,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n\n                                                        16\n\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n       (U) OMB Circular No. A-130 states \xe2\x80\x9cThe Computer Security Act requires Federal\nagencies to provide mandatory periodic training in computer security awareness and accepted\ncomputer security practices for all employees who are involved with the management, use or\noperation of a Federal computer system within or under the supervision of the Federal agency.\xe2\x80\x9d 27\nTraining ensures that all users are knowledgeable of the rules of the system. 28 Although IBWC\nhad acquired a security awareness training product in April 2012, an IBWC official stated that\nthe product had not been implemented because of the limited number of staff assigned to the\nInformation Management Division (IMD) to support the security training program. However,\nIBWC officials stated that IBWC intends to administer security awareness training to all\nemployees, including those with significant security responsibilities by the end of the fiscal year.\n\n        (U) Regarding the necessity for annual security training, NIST SP 800-50 29 states:\n\n        (U) [A]t a minimum, the entire workforce should be exposed to awareness\n        material annually. A continuous awareness program, using various methods of\n        delivery throughout the year, can be very effective. Security training for groups\n        of users with significant security responsibility (e.g., system and network\n        administrators, managers, security officers) should be incorporated into ongoing\n        functional training as needed.\n\n         (U) NIST SP 800-53, Revision 3, 30 also supports training requirements and related\ncorrective actions: \xe2\x80\x9cThe organization provides basic security awareness training to all\ninformation system users (including managers, senior executives, and contractors) as part of\ninitial training for new users, when required by system changes and [Assignment: organization-\ndefined frequency] thereafter.\xe2\x80\x9d Further, NIST SP 800-53, Revision 3, 31 states, \xe2\x80\x9c[T]he\norganization [should employ] a formal sanctions process for personnel failing to comply with\nestablished information security policies and procedures.\xe2\x80\x9d\n\n        (U) Without the completion of initial and annual security awareness training, personnel\nmay be unaware of risks that may compromise the confidentiality, integrity, and availability of\ndata. As a result, personnel may be unable to recognize and respond appropriately to security\nconcerns. Employees with significant security responsibilities who are not properly trained\ncreate a risk for IBWC since they may introduce vulnerabilities because of their elevated level of\nsystem permissions.\n\n        (U) Recommendation 11. OIG recommends that the Chief Information Officer ensure\n        the security awareness training policy requiring all International Boundary and Water\n        Commission personnel to attend initial security awareness training is finalized and then\n\n27\n   (U) OMB Circular No. A-130, revised, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d app. III, \xe2\x80\x9cSecurity of\nFederal Automated Information Resources.\xe2\x80\x9d \xe2\x80\x93 B. \xe2\x80\x9cDescriptive Information,\xe2\x80\x9d a. \xe2\x80\x9cGeneral Support Systems,\xe2\x80\x9d 2.b\n\xe2\x80\x9cTraining.\xe2\x80\x9d\n28\n   (U) OMB Circular No. A-130, revised, A. \xe2\x80\x9cRequirements,\xe2\x80\x9d 3.a.2.b \xe2\x80\x9cTraining.\xe2\x80\x9d\n29\n   (U) NIST SP 800-50, \xe2\x80\x9cBuilding an Information Technology Security Awareness and Training Program,\xe2\x80\x9d pg.20,\nF/N 13, Oct. 2003.\n30\n   (U) NIST SP 800-53, rev. 3, AT-2 \xe2\x80\x9cSecurity Awareness,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n31\n   (U) NIST SP 800-53, rev. 3, PS-8 \xe2\x80\x9cPersonnel Sanctions,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n\n                                                      17\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                      SENSITIVE BUT UNCLASSIFIED\n\nensure that the personnel take the training before they are provided access to information\ntechnology systems, as required by National Institute of Standards and Technology\nSpecial Publication 800-53, Revision 3, and Office of Management and Budget Circular\nNo. A-130.\n\n(U) Management Response: IBWC concurred with the recommendation, stating that\nIMD had updated its existing Security Awareness Training policy and procedure to\ninclude the requirements described and that the policy will be \xe2\x80\x9creviewed, reformatted and\nstaffed for review and sent for approval by December 2013.\xe2\x80\x9d\n\n(U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\nbe closed when OIG reviews and approves documentation showing that IBWC has\nensured that the security awareness training policy described is finalized and that\npersonnel take the training before they are granted access to information technology\nsystems as required.\n\n(U) Recommendation 12. OIG recommends that the Chief Information Officer ensure\nall International Boundary and Water Commission personnel attend security awareness\nrefresher training and suspend access to information technology systems and assets when\npersonnel fail to successfully complete the training, as required by National Institute of\nStandards and Technology Special Publication SP 800-53, Revision 3, and Office of\nManagement and Budget Circular No. A-130.\n\n(SBU) Management Response: IBWC concurred with the recommendation, stating that\nthe draft Security Awareness Training policy and procedure \xe2\x80\x9caddresses disciplinary and\ncorrective action the IMD will be authorized to impose on personnel that do not comply\nwith this requirement.\xe2\x80\x9d IBWC also provided information on the status of personnel\nenrolled in the training and stated that notifications had been issued to \xe2\x80\x9cnon-compliant\nemployees and their supervisors\xe2\x80\x9d and that additional notification \xe2\x80\x9cwould be issued for\nnoncompliance.\xe2\x80\x9d\n\n(U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\nbe closed when OIG reviews and approves documentation showing that IBWC has\nensured that all IBWC personnel attend security awareness refresher training and that\naccess to information technology systems and assets is suspended for personnel who do\nnot successfully complete the training as required.\n\n(U) Recommendation 13. OIG recommends that the Chief Information Officer ensure\nthe specialized security training requirement for International Boundary and Water\nCommission personnel with significant security responsibilities is completed so that the\npersonnel are able to maintain their professional proficiency, as required by National\nInstitute of Standards and Technology Special Publication 800-53, Revision 3.\n\n(SBU) Management Response: IBWC concurred with the recommendation, stating that\nthe updated policy and procedure \xe2\x80\x9caddresses this requirement and budgetary requirements\n\n\n\n                                        18\n\n                      SENSITIVE BUT UNCLASSIFIED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\n           to ensure the required training occurs\xe2\x80\x9d annually. IBWC further stated that all seven\n           IBWC personnel with significant IT responsibilities have completed training.\n\n           (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n           be closed when OIG reviews and approves documentation showing that IBWC has\n           ensured that the specialized security training requirement has been met as required.\n\nF. (U) Plan of Action and Milestones\n        (SBU) As reported by OIG for FY 2011, IBWC had not fully implemented an effective\nPOA&M process. Since OIG\xe2\x80\x99s last review, IBWC had made improvements in its POA&M\nprocess by including details of the estimated resource requirements and corrective action plans to\nclose the POA&M deficiencies, as required in the OMB template. In addition, IBWC had used\nthe POA&M for developing, maintaining, and reporting the IBWC\'s planned actions for\nidentified weaknesses related to GSS. However, IBWC had not determined the security\nweaknesses for GIS and the SCADA systems because IBWC had not completed the necessary\nsecurity documents identifying the security controls in place and those that require improvement.\nSystem security plans and an independent assessment (Security Test and Evaluation report)\nwould identify the controls that were in place and those that were either missing or deficient\n(were not up to the standard required by the FIPS 199 32 levels of potential impact on\norganizations associated with the system). The absence of these security documents indicated\nthat IBWC had not conducted the necessary testing of GIS and the SCADA systems; therefore,\nIBWC was unable to identify the weaknesses requiring remediation. Additionally, IBWC was\nconducting periodic security scans of GSS, but the weaknesses identified in those scans were not\nrecorded in the POA&Ms. OIG identified the following deficiencies:\n\n           \xe2\x80\xa2   (U) The POA&Ms were not properly updated and provided to the Chief Information\n               Officer on a quarterly basis.\n           \xe2\x80\xa2   (SBU) The POA&Ms did not include findings identified from GSS vulnerability scan\n               assessments, as well as vulnerabilities associated with the SCADA systems identified\n               from site assessments.\n           \xe2\x80\xa2   (U) The POA&Ms did not include a specific corrective action plan for completing the\n               security assessment and authorization package for GSS, GIS, and the Nogales\n               SCADA system.\n           \xe2\x80\xa2   (U) The documentation for the corrective action activities was not maintained.\n           \xe2\x80\xa2   (U) The POA&Ms were not reviewed on a periodic basis to ensure updates were\n               recorded. Specifically, OIG determined that the estimated completion dates had\n               passed, that updates were not made to the estimated completion date, and that an\n               explanation supporting the delay was not documented.\n\n        (U) According to NIST SP 800-53, Revision 3, 33 \xe2\x80\x9cthe organization updates existing plan\nof action and milestones [Assignment: organization-defined frequency] based on the findings\n\n\n32\n     (U) FIPS 199, Feb. 2004.\n33\n     (U) NIST SP 800-53, rev. 3, CA-5 \xe2\x80\x9cPlan of Action and Milestones,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n\n                                                        19\n\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\nfrom security controls assessments, security impact analyses, and continuous monitoring\nactivities.\xe2\x80\x9d\n\n        (U) NIST SP 800-53, Revision 3 34 also states that \xe2\x80\x9cThe organization implements a\nprocess for ensuring that plans of action and milestones for the security program and the\nassociated organizational information systems are maintained and document the remedial\ninformation security actions to mitigate risk to organizational operations and assets, individuals,\nother organizations, and the Nation.\xe2\x80\x9d\n\n     (U) Elaborating further on the importance of thorough and effective POA&Ms, OMB\nMemorandum M-08-21 35 states:\n\n        (U) POA&Ms must include all security weaknesses found during any other review done\nby, for, or on behalf of the agency, including [Government Accountability Office] audits,\nfinancial system audits, and critical infrastructure vulnerability assessments. These plans should\nbe the authoritative agency-wide management tool, inclusive of all evaluations.\n\n        (U) The implementation of a POA&M process is important to assess the current state of\nthe security posture of GSS, GIS, and the SCADA systems and to aid in oversight of IT\ninvestments. IBWC conducted periodic security scans of GSS but had not accounted for the\nidentified weaknesses in the POA&M process, which could result in POA&Ms becoming out of\ndate. On the other hand, IBWC did not conduct any security scans or complete the security\ndocumentation for GIS and the SCADA systems and, therefore, was unable to identify existing\nvulnerabilities in the systems. Without inclusion of vulnerabilities and periodic updates of\nPOA&M activities, IBWC management may be unaware of weaknesses and the status of\ncorrective actions. As a result, delays in the implementation of corrective actions may not be\nappropriately identified and resolved in a timely manner.\n\n        (U) Recommendation 14. OIG recommends the Chief Information Officer fully\n        implement a Plan of Action and Milestones process to include vulnerabilities identified\n        from all sources and update milestone dates, as required by Office of Management and\n        Budget Memorandum M-08-21 and NIST Special Publication 800-53, Revision 3.\n\n        (SBU) Management Response: IBWC concurred with the recommendation, stating that\n        it is using its POA&M process \xe2\x80\x9cto develop, maintain, and report the IMD work plan\xe2\x80\x9d and\n        to track progress toward closing each entry. IBWC further stated that it has entered\n        identified weaknesses and vulnerabilities into the POA&M database \xe2\x80\x9cso necessary\n        resources and manpower are allocated to address each issue,\xe2\x80\x9d that \xe2\x80\x9cthe recently\n        discovered vulnerabilities\xe2\x80\x9d are being prioritized and scheduled for remediation, and that\n        employees have been notified that regular update and maintenance of the database is now\n        considered \xe2\x80\x9ca measurable performance element that will affect their annual performance\n        ratings.\xe2\x80\x9d\n\n34\n (U) NIST SP 800-53, rev. 3, PM-4 \xe2\x80\x9cPlan of Action and Milestones Process,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n35\n (U) OMB Memorandum M-08-21, \xe2\x80\x9cFY 2008 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management,\xe2\x80\x9d July 14, 2008.\n\n                                                     20\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                      SENSITIVE BUT UNCLASSIFIED\n\n              (SBU) OIG Reply: OIG considers the recommendation resolved. The recommendation\n              can be closed when OIG reviews and approves documentation showing that IBWC has\n              implemented a POA&M process, including vulnerabilities identified from all sources,\n              and updated milestone dates as required.\n\n      G. (U) Remote Access\n              (U) As reported by OIG for FY 2011, IBWC had not finalized and implemented its\n      remote access policy and procedure to comply with NIST requirements. An IBWC official\n      stated that the access control policy and procedure document contains procedures for remote\n      access, but OIG determined that the procedures still require review and formal approval by\n      IBWC management. During fieldwork completed in 2012, OIG identified additional weaknesses\n      in remote access and wireless devices.\n(b) (5)\n\n\n\n\n      36\n         (U) OMB Memorandum M-06-16, \xe2\x80\x9cProtection of Sensitive Agency Information,\xe2\x80\x9d June 23, 2006.\n      37\n         (U) NIST SP 800-53, rev. 3, AC-17 \xe2\x80\x9cRemote Access,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n      38\n         (U) OMB Memorandum M-06-16.\n\n                                                          21\n\n                                      SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n\n\n   (U) Wireless Access Weaknesses\n\n             (SBU) OIG determined that IBWC did not have a wireless policy and procedure in place\n   (b) (5)                                                                                               (b) (5)\n\n\n\n\n          (SBU) OIG identified that IBWC had one wireless access point that IBWC management\n   had requested. An IBWC official stated that only portable devices configured by IMD could\n   have connected to the wireless access point. IBWC configured and issued 11 iPads and two\n   laptops for authorized use within the IMD office to connect to the wireless access point.\n(b) (5)\n                                                                  (b) (5)\n(b) (5)\n                                                                    OIG determined that IBWC had\n   not periodically reviewed unauthorized access to the wireless network. NIST SP 800-53,\n   Revision 3, 40 states:\n\n             (U) The organization:\n             (U) a.   Establishes usage restrictions and implementation guidance for wireless access;\n             (U) b.   Monitors for unauthorized wireless access to the information system;\n             (U) c.   Authorizes wireless access to the information system prior to connection; and\n             (U) d.   Enforces requirements for wireless connections to the information system.\n(b) (5)\n\n\n\n\n           (U) Inadequate remote access controls increased the risk that accounts may have been\n   accessed and used by individuals to perform unauthorized activities. Without proper controls in\n   place, unauthorized activities could occur without timely detection, which could adversely\n   impact confidentiality, integrity, and availability of the data.\n\n             (U) Recommendation 15. OIG recommends that the Chief Information Officer finalize\n             and implement International Boundary and Water Commission remote access policy and\n             procedure, as required by National Institute of Standards and Technology Special\n             Publication SP 800-53, Revision 3.\n\n             (U) Management Response: IBWC concurred with the recommendation, stating that\n             the access control policy and procedure is being updated and would be \xe2\x80\x9cready for review\n             and final approval\xe2\x80\x9d by the Commissioner in December 2013.\n\n   39\n      (U) As defined in NIST SP 800-53A, \xe2\x80\x9cGuide for Assessing the Security Controls in Federal Information\n   Systems,\xe2\x80\x9d July 2008, Media Access Control addresses are hardware addresses that \xe2\x80\x9cuniquely identify each\n   component of an IEEE [Institute of Electrical and Electronics Engineers] 802-based network.\xe2\x80\x9d\n   40\n      (U) NIST SP 800-53, rev. 3, AC-18 \xe2\x80\x9cWireless Access,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n\n                                                         22\n\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n       (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n       be closed when OIG reviews and approves documentation showing that IBWC has\n       finalized and implemented remote access policy and procedure as required.\n\n       (SBU) Recommendation 16. OIG recommends that the Chief Information Officer\n       implement remote access controls that is enforced (b) (5)\n\n\n\n       (SBU) Management Response: IBWC concurred with the recommendation, stating that\n       a \xe2\x80\x9csolution to address the lack of full disk encryption on all IBWC issued laptops was\n       purchased in FY 2012.\xe2\x80\x9d IBWC further stated that it is conducting a \xe2\x80\x9ccomplete inventory\n       and recall of all laptops\xe2\x80\x9d that will require the return of all laptops to headquarters for\n       software implementation and update. (b) (5)\n\n\n\n       (SBU) OIG Reply: OIG considers the recommendation resolved. The recommendation\n       can be closed when OIG reviews and approves documentation showing that IBWC has\n       implemented remote access controls enforced (b) (5)\n\n\n       (U) Recommendation 17. OIG recommends that the Chief Information Officer develop\n       and implement a wireless policy and procedures, as required by National Institute of\n       Standards and Technology Special Publication SP 800-53, Revision 3.\n\n       (U) Management Response. IBWC concurred with the recommendation, stating that\n       IMD would \xe2\x80\x9cinclude wireless policy and procedures in the existing update\xe2\x80\x9d to access\n       control policy and procedure to address usage restrictions, access procedures,\n       authorization monitors, and compliance requirements for wireless access and connections\n       to the GSS. IBWC further stated that only one wireless access point exists within IBWC\n       headquarters and that existing documentation has been updated.\n\n       (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n       be closed when OIG reviews and approves documentation showing that IBWC has\n       developed and implemented a wireless policy and procedure as required.\n\nH. (U) Identity and Access Management\n       (U) OIG identified three areas of weakness in the identity and access management\nprocess; using e-authentication process, monitoring IT personnel with privileged permissions,\nand obtaining signed Rules of Behaviors agreements from information systems users.\n\n\n\n\n                                               23\n\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n\n(U) Using the E-authentication Process\n\n        (SBU) E-authentication is the process of establishing confidence in the identities of users\nattempting to electronically access an information system. 41 Although IBWC had implemented\nIdentification and Authentication Policy and Procedure, OIG found that the policy had not been\nreviewed or updated since 2009.\n\n       (U) OMB Memorandum M-04-04 42 identifies a five-step process by which agencies\nshould meet their e-authentication assurance requirements:\n\n     \xe2\x80\xa2   (U) Conduct a risk assessment of the government system.\n     \xe2\x80\xa2   (U) Map identified risks to the appropriate assurance level.\n     \xe2\x80\xa2   (U) Select technology based on e-authentication technical guidance.\n     \xe2\x80\xa2   (U) Validate that the implemented system has met the required assurance level.\n     \xe2\x80\xa2   (U) Periodically reassess the system to determine technology refresh requirements.\n\n   (U) In addition, NIST SP 800-53, Revision 3, 43 states that organizations should review and\nupdate the following:\n\n         a. (U) A formal, documented identification and authentication policy that addresses\n            purpose, scope, roles, responsibilities, management commitment, coordination among\n            organizational entities, and compliance; and\n         b. (U) Formal, documented procedures to facilitate the implementation of the\n            identification and authentication policy and associated identification and\n            authentication controls.\n\n        (SBU) OIG determined that personal identity verification cards had been configured to\nthe network prior to any testing or assessment performed, as required by OMB Memorandum\nM-04-04, 44 and individuals had the ability and had been using their personal identity verification\ncards to access the network. However, an IBWC official stated that no formal risk assessment\nwas performed prior to the implementation of the personal identity verification card because\nIBWC was not aware that a risk assessment was required. Without an effective e-authentication\nprocess, the control designed to identify systems users\xe2\x80\x99 identities could be compromised.\n\n(U) Monitoring Information Technology Personnel With Privileged Permissions\n\n      (SBU) IBWC possesses the capability of tracking and logging administrative activities;\nhowever, OIG found that IBWC did not have a formal process in place for tracking and\n\n\n\n\n41\n   (U) OMB Memorandum M-04-04, \xe2\x80\x9cE-Authentication Guidance for Federal Agencies,\xe2\x80\x9d Dec. 16, 2003.\n42\n   (U) Ibid.\n43\n   (U) NIST SP 800-53, rev. 3, IA-1 \xe2\x80\x9cIdentification and Authentication Policy and Procedures,\xe2\x80\x9d Aug. 2009 (last\nupdated May 2010).\n44\n   (U) OMB Memorandum M-04-04, Dec. 16, 2003.\n\n                                                        24\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\nmonitoring users with privileged role assignments and that management had not established a\nprocess for monitoring users with privileged permissions. NIST SP 800-53, Revision 3, 45 states:\n\n           (U) The organization employs the concept of least privilege, allowing only\n           authorized accesses for users (and processes acting on behalf of users) which are\n           necessary to accomplish assigned tasks in accordance with organizational\n           missions and business functions. The organization requires that users of\n           information system accounts, or roles, with access to [Assignment: organization-\n           defined list of security functions or security-relevant information], use non-\n           privileged accounts, or roles, when accessing other system functions, and if\n           feasible, audits any use of privileged accounts, or roles, for such functions.\n\n       (U) When users with privileged permissions are not monitored, unauthorized activities\ncould harm the IBWC information assets and adversely affect the confidentiality, integrity and\navailability of data.\n\n(U) Obtaining Signed Rules of Behavior Agreements From Information Systems Users\n\n        (U) OIG found that IMD had generated a network account and temporary password prior\nto user application for network access. IBWC officials stated that users did not receive login\ncredentials until Rules of Behavior agreements had been signed by the users and Information\nSystems Security Officer. OIG found that four (33 percent) of 12 (100 percent of new users for\nthe audit period) Rules of Behavior agreements were not signed by the Information System\nSecurity Officer. NIST SP 800-53 46 requires users to read and sign Rules of Behavior\ndocuments. The Information System Security Officer stated he was not available to sign the four\nRules of Behavior documents identified by OIG as lacking appropriate signature.\n\n           (U) Recommendation 18. OIG recommends that the Chief Information Officer update\n           and implement identification and authentication management procedures to include the e-\n           authentication procedures, as required by National Institute of Standards and Technology\n           Special Publication 800-53, Revision 3.\n\n           (U) Management Response: IBWC concurred with the recommendation, stating that\n           IMD was updating the existing identification and authentication policy and procedure to\n           comply with new IBWC directives and include specific language and procedures that\n           would require verification of users\xe2\x80\x99 signatures by ISSOs on all Rules of Behavior\n           documents before initial user credentials are issued.\n\n           (U) OIG Reply: OIG considers the recommendation resolved. This recommendation\n           can be closed when OIG reviews and approves documentation showing that IBWC has\n           updated and implemented identification and authentication management procedures to\n           include e-authentication procedures as required.\n\n\n45\n     (U) NIST SP 800-53, rev. 3, AC-6 \xe2\x80\x9cLeast Privilege,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n46\n     (U) NIST SP 800-53, rev. 3, PL-4 \xe2\x80\x9cRules of Behavior,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n\n                                                         25\n\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c                               SENSITIVE BUT UNCLASSIFIED\n\n          (U) Recommendation 19. OIG recommends that the Chief Information Officer perform\n          a risk assessment identifying the risks to system security, as required by the Office of\n          Management and Budget Memorandum M-04-04.\n\n          (U) Management Response: IBWC concurred with the recommendation, stating that\n          IMD was creating documentation on required risk assessments and testing before\n          implementing any new technology or access to services required by the agency.\n\n          (SBU) OIG Reply: OIG considers the recommendation resolved. The recommendation\n          can be closed when OIG reviews and approves documentation showing that IBWC has\n          performed a risk assessment identifying the risks to system security as required.\n\n  I. (U) Continuous Monitoring\n        (SBU) As reported by OIG for FY 2011, IBWC had not fully implemented a continuous\n  monitoring program for its IT systems. During the FY 2012 audit, OIG identified three\n  weaknesses in the IBWC continuous monitoring process: (b) (5)\n\n                                              An IBWC official stated that there are no documented\n  policies and procedures detailing the strategy and plans for conducting continuous monitoring\n  activities that include routine vulnerability scanning, log monitoring, and notification of\n  unauthorized devices due to limited resources.\n\n  (U) Formal Continuous Monitoring Process\n\n         (SBU) OIG determined that IBWC had assessed and installed a vulnerability\n  management tool designed to perform automated routine security assessments of its system\n  environment to address this deficiency. (b) (5)\n\n\n\n\n(b) (5)\n\n\n\n\n                                                 26\n\n                               SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n        (U) NIST SP 800-53, Revision 3, 47 states:\n\n        (U) The organization subsequently initiates specific follow-on actions as part of a\n        comprehensive continuous monitoring program. The continuous monitoring\n        program includes an ongoing assessment of security control effectiveness to\n        determine if there is a need to modify or update the current deployed set of\n        security controls based on changes in the information system or its environment\n        of operation. In particular, the organization revisits on a regular basis, the risk\n        management activities described in the Risk Management Framework. In\n        addition to the ongoing activities associated with the implementation of the Risk\n        Management Framework, there are certain events which can trigger the\n        immediate need to assess the security state of the information system and if\n        required, modify or update the current security controls.\n\n(U) When such events occur, organizations, at a minimum, should take the following\nactions:\n\n        \xe2\x80\xa2    (U) Reconfirm the security category and impact level of the information\n             system.\n        \xe2\x80\xa2    (U) Assess the current security state of the information system and the risk to\n             organizational operations and assets, individuals, other organizations, and the\n             Nation.\n        \xe2\x80\xa2    (U) Plan for and initiate any necessary corrective actions.\n\n        (U) After the security controls and/or control upgrades have been implemented\n        and any other weaknesses or deficiencies corrected, the controls are assessed for\n        effectiveness to determine if the controls are implemented correctly, operating as\n        intended, and producing the desired outcome with respect to meeting the security\n        requirements for the information system. If necessary, the security plan is\n        updated to reflect any additional corrective actions taken by the organization to\n        mitigate risk. 48\n\n        (U) Further, the NIST publication defines security assessment requirements to\ninclude the establishment, implementation, maintenance, and reporting of a continuous\nmonitoring program for information systems. Additional NIST guidance outlines\nmonitoring and detection requirements in accordance with applicable legislation,\nregulations, and executive policy. 49\n\n        (U) NIST SP 800-53, Revision 3, 50 states that the organization \xe2\x80\x9cscans for vulnerabilities\nin the information system and hosted applications [Assignment: organization-defined frequency\n\n\n47\n   (U) NIST SP 800-53, rev. 3, sec. 3.4 \xe2\x80\x9cMonitoring Security Controls,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n48\n   (U) Ibid.\n49\n   (U) NIST SP 800-53, rev. 3, SI-4 \xe2\x80\x9cInformation System Monitoring,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n50\n   (U) NIST SP 800-53, rev. 3, RA-5 \xe2\x80\x9cVulnerability Scanning,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n\n                                                       27\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\nand/or randomly in accordance with organization-defined process] and when new vulnerabilities\npotentially affecting the system/applications are identified and reported.\xe2\x80\x9d\n\n        (U) Without periodic reviews or the performance of risk-based security assessments, new\nthreats and vulnerabilities may not be identified and mitigated in a timely manner, potentially\ncausing damage or disruption to IBWC information systems.\n\n(U) Vulnerability Scan Results\n\n        (SBU) OIG determined that identified vulnerabilities had not been included\nwithin the POA&Ms tracking database and that the firewall logs had not been reviewed.\nAlso, IBWC had not performed the Security Test and Evaluations necessary to verify\ncompliance with its security policy guidelines and to evaluate the effectiveness of the\nsecurity controls against anticipated threats for GSS, GIS, and the SCADA systems. The\nInformation Systems Security Officer had not provided the scan results to the IBWC\nofficial responsible for maintaining the POA&M database because of unfamiliarity with\nthe process. OMB Memorandum M-08-21 51 states:\n\n        (U) POA&Ms must include all security weaknesses found during any other\n        review done by, for, or on behalf of the agency, including [Government\n        Accountability Office] audits, financial system audits, and critical infrastructure\n        vulnerability assessments. These plans should be the authoritative agency-wide\n        management tool, inclusive of all evaluations.\n\n         (U) When vulnerabilities were not reported to the POA&M database, IBWC did\nnot have an effective process to determine corrective action and security risk exposure.\n(Additional details are addressed in Finding F \xe2\x80\x93 Plans of Action and Milestones of this\nreport.)\n\n(U) Supervisory Control and Data Acquisition Systems Monitoring Processes\n\n        (SBU) In addition to apparent challenges in performing automated vulnerability scans\nand reviews, OIG found that the SCADA control centers at the San Diego wastewater treatment\nplant are not effectively monitored to identify and mitigate security incidents. An IBWC\ncontractor stated that screens had not always been monitored for incidents such as alarms despite\nthe fact that SCADA systems are designed to collect field information, transfer information to a\ncentral computer facility, and display, graphically or textually, information, allowing operators to\nmonitor or control an entire system from a central location in real time. NIST SP 800-53 states\nthat personnel are required to report suspected security incidents to the organizational incident\nresponse capability and to report \xe2\x80\x9csecurity incident information to designated authorities\xe2\x80\x9d within\nan acceptable timeframe defined by the organization. 52 Without regular security monitoring,\nincidents could go unnoticed, potentially leading to additional damage and/or disruption. IBWC\n\n51\n   (U) OMB Memorandum M-08-21, \xe2\x80\x9cFY 2008 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management,\xe2\x80\x9d dated July 14, 2008.\n52\n   (U) NIST SP 800-53, rev. 3, IR-6 \xe2\x80\x9cIncident Reporting,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n\n                                                    28\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\nalso needed to conduct regular security monitoring to identify problems with security controls,\nsuch as misconfigurations and failures.\n\n           (SBU) Recommendation 20. OIG recommends that the Chief Information Officer\n           develop and implement policies and procedures to perform continuous monitoring to\n           include automated routine vulnerability assessments for the General Support System, the\n           Geographical Information System, and the Supervisory Control and Data Acquisition\n           systems. The results of such security assessments should be reviewed, and Plans of\n           Action and Milestones should be developed for the improvement of the security controls\n           of major systems, as required by National Institute of Standards and Technology Special\n           Publication 800-53, Revision 3.\n\n           (SBU) Management Response: IBWC concurred with the recommendation, stating that\n           IMD was developing policies and procedures to assist in the full implementation of an\n           effective continuous monitoring program for its IT systems and that IMD had received\n           approval for a permanent, part-time employee whose main responsibility would be \xe2\x80\x9cmany\n           of the tasks required to maintain a continuous monitoring program.\xe2\x80\x9d\n\n           (SBU) OIG Reply: OIG considers the recommendation resolved. The recommendation\n           can be closed when OIG reviews and approves documentation showing that IBWC has\n           developed and implemented policies and procedures to perform continuous monitoring to\n           include automated routine vulnerability assessments for the systems specified. The\n           results of such security assessments should be reviewed, and POA&Ms should be\n           developed for the improvement of the security controls of major systems as required.\n\nJ. (U) Contingency Planning\n        (U) As reported by OIG for FY 2011, IBWC\xe2\x80\x99s contingency planning process required\nsignificant improvements. An effective contingency planning program is \xe2\x80\x9cdesigned to mitigate\nthe risk of system and service unavailability by providing effective and efficient solutions to\nenhance system availability.\xe2\x80\x9d 53 NIST SP 800-34, Revision 1, 54 states that information systems\nare \xe2\x80\x9cvital elements\xe2\x80\x9d in most business functions and that \xe2\x80\x9cit is critical\xe2\x80\x9d that the services provided\nby these systems be able to operate effectively without excessive interruption. NIST guidance\nfurther states, \xe2\x80\x9cContingency planning supports this requirement by establishing thorough plans,\nprocedures, and technical measures that can enable a system to be recovered as quickly and\neffectively as possible following a service disruption. Although IBWC had documented a\ncontingency plan for the GSS and had configured an automated back-up process for the\nheadquarters and field offices, OIG identified the following deficiencies:\n     (b) (5)\n\n\n\n\n53\n   (U) NIST SP 800-34, rev. 1, \xe2\x80\x9cContingency Planning Guide for Federal Information Systems,\xe2\x80\x9d ch. 2 \xe2\x80\x93\n\xe2\x80\x9cBackground,\xe2\x80\x9d May 2010.\n54\n   (U) NIST SP 800-34, rev. 1, ch. 1 \xe2\x80\x93 \xe2\x80\x9cIntroduction,\xe2\x80\x9d May 2010.\n\n                                                       29\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                             SENSITIVE BUT UNCLASSIFIED\n      (b) (5)\n\n\n\n\n                 (U) IBWC is required by NIST SP 800-34 55 to have a collection of plans to prepare for\n          response, continuity, recovery, and resumption of mission and/or business processes and\n          information systems in the event of a disruption. OIG determined that a Business Impact\n          Assessment, which helps to identify and prioritize critical IT systems and components, had not\n          been performed. IBWC management stated that limited resources had prevented them from\n          completing the contingency planning documentation. Without a Business Impact Assessment,\n          IBWC could not identify the critical Business Processes of IBWC to generate a proper Business\n          Continuity/Recovery Plan.\n(b) (5)\n\n\n\n\n          55\n             (U) NIST SP 800-34, rev. 1, app. C, \xe2\x80\x9cResponse to Question 2,\xe2\x80\x9d May 2010.\n          56\n             (U) NIST SP 800-34, rev. 1, ch. 3, \xe2\x80\x9cInformation System Contingency Planning Process,\xe2\x80\x9d May 2010.\n          57\n             (U) NIST SP 800-82, \xe2\x80\x9cGuide to Industrial Control Systems Security (ICS),\xe2\x80\x9d sec. 6.2.3.1 \xe2\x80\x9cBusiness Continuity\n          Planning,\xe2\x80\x9d June 2011.\n          58\n             (U) NIST SP 800-53, rev. 3, CP-6\xe2\x80\x9cAlternate Storage Site,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n          59\n             (U) According to NIST SP 800-12, \xe2\x80\x9cAn Introduction to Computer Security \xe2\x80\x93 The NIST Handbook,\xe2\x80\x9d a hot site is\n          \xe2\x80\x9ca building already equipped with processing capability and other services and a cold site houses processors that can\n          be easily adapted for use.\xe2\x80\x9d\n\n                                                                   30\n\n                                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\n     (b) (5)\n\n\n\n\n               (SBU) OIG Reply: OIG considers the recommendation resolved. The recommendation\n               can be closed when OIG reviews and approves documentation showing that IBWC has\n               developed and implemented contingency planning procedures and conducted testing for\n               operational effectiveness of all major systems as required.\n\n               (SBU) Recommendation 22. OIG recommends that the International Boundary and\n               Water Commission finalize the continuity of operations site and conduct testing for\n               operational effectiveness of all major systems, as required by National Institute of\n               Standards and Technology Special Publication 800-34, Revision 1.\n\n               (SBU) Management Response: IBWC concurred with the recommendation, stating that\n               IMD had awarded a contract in September \xe2\x80\x9cto assist with the implementation of a\n               VMWare and Cisco Virtualization solution with Citrix\xe2\x80\x9d for secure web access for a\n               disaster recovery system at the Las Cruces continuity of operations site. IBWC further\n               stated that this solution would \xe2\x80\x9cserve as a centralized backup of hardware, software, and\n               data, which would be shared across all IBWC divisions and accessible by authorized\n               IBWC personnel during a disaster recovery.\xe2\x80\x9d\n\n               (SBU) OIG Reply: OIG considers the recommendation resolved. The recommendation\n               can be closed when OIG reviews and approves documentation showing that IBWC has\n               finalized the continuity of operations site and conducted testing for operational\n               effectiveness of all major systems as required.\n\nK. (U) Oversight of Contractor System\n        (SBU) As reported by OIG for FY 2011, IBWC had not implemented an effective\noversight program for its contractor system. During fieldwork completed in 2012, OIG found\nthat IBWC\xe2\x80\x99s San Diego field office had not documented policies and procedures for IBWC\xe2\x80\x99s\noversight of systems operated by contractors and had not included the SCADA operations within\nIBWC\xe2\x80\x99s IT boundaries. OIG determined that IBWC had not developed policies and procedures\nto oversee the San Diego operations and that the field office had relied heavily on contractor-\nproduced policies and procedures. The contract between IBWC and the contractor required the\ncontractor to document a SCADA security plan and an IT Security Plan. 60 Although the\nSCADA security plan included an explanation of security controls, it did not explain functioning\n\n\n60\n     (U) Contract No. IBM10C0016, \xe2\x80\x9cAmendment of Solicitation Commercial Clauses,\xe2\x80\x9d Question and Response 3.\n\n                                                      31\n\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\ncontrols or planned implementation for the San Diego operation. Also, the security plan did not\naddress the security controls required by NIST SPs 800-53 61 and 800-82. 62\n\n        (SBU) In addition, IBWC officials did not have adequate control over the IT functions at\nthe San Diego wastewater treatment plant or the IT assets purchased and maintained by the\ncontractor in support of operations. An IBWC official stated that the organization was aware of\nthe deficiencies and was working to address the issues. IBWC is developing a contract\nmodification with the San Diego contractor to include, but not be limited to, the contractor\nnotifying IBWC of purchases. Additionally, contractor-owned software was operating on the\nlocal area network at the San Diego wastewater treatment plant without proper review and\napproval by IBWC\xe2\x80\x99s IMD.\n\n        (U) Department of Homeland Security FY 2012 Inspector General metrics publication 63\nstates: Contractor systems should have \xe2\x80\x9cdocumented policies and procedures for information\nsecurity oversight of systems operated on the Organization\'s behalf by contractors or other\nentities, including Organization systems and services residing in public cloud.\xe2\x80\x9d \xe2\x80\x9cSystems that\nare owned or operated by contractors or entities, including Organization systems and services\nresiding in public cloud, are compliant with FISMA requirements, OMB policy, and applicable\nNIST guidelines.\xe2\x80\x9d\n\n        (SBU) Without adequate contractor oversight, IBWC cannot be assured contractor\npersonnel are compliant with FISMA, OMB requirements, and NIST standards. Further, because\nIMD did not have a review and approval process in place, contractors could purchase IT assets\nthat may not be in the best interest of IBWC. Finally, without proper oversight, there is an\nincreased risk that data collected, processed, and maintained is exposed to unauthorized access,\nuse, disclosure, disruption, modification, or destruction.\n\n        (U) Recommendation 23. OIG recommends that the International Boundary and Water\n        Commission ensure that its Information Management Division is responsible for the\n        oversight of information technology assets purchased and maintained by the contractor in\n        support of operations at the wastewater treatment plant in San Diego, CA, as required by\n        National Institute of Standards and Technology Special Publications (SP) 800-53,\n        Revision 3, and SP 800-82.\n\n        (SBU) Management Response: IBWC concurred with the recommendation, stating that\n        it has established \xe2\x80\x9cmodifications to existing contracts\xe2\x80\x9d with contracted personnel at the\n        San Diego wastewater treatment plant and was reviewing upgrade recommendations\n        resulting from its onsite assessment in early 2012. IBWC further stated that policy and\n        procedure detailing IBWC\xe2\x80\x99s oversight of contractor-operated systems would be created\n        and developed for both the San Diego SCADA and Veolia Systems to replace existing\n        contractor-developed policy and procedure and that the San Diego SCADA system would\n\n61\n   (U) NIST SP 800-53, rev. 3, Aug. 2009 (last updated May 2010).\n62\n   (U) NIST SP 800-82, \xe2\x80\x9cGuide to Industrial Control Systems (ICS) Security,\xe2\x80\x9d June 2011.\n63\n   (U) Department of Homeland Security, \xe2\x80\x9cFY2012 Inspector General Federal Information Security Management\nAct Reporting Metrics,\xe2\x80\x9d sec. 10, \xe2\x80\x9cContractor Systems,\xe2\x80\x9d Mar. 6, 2012.\n\n                                                    32\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n       undergo a major upgrade in 2013 to address password and physical access issues and to\n       remove the connection between the Veolia and SCADA Systems.\n\n       (U) OIG Reply: OIG considers the recommendation resolved. The recommendation can\n       be closed when OIG reviews and approves documentation showing that IBWC has\n       ensured that IMD is responsible for the oversight of information technology assets\n       purchased and maintained by the contractor in support of operations at the San Diego\n       wastewater treatment plant as required.\n\n       (U) Recommendation 24. OIG recommends that the International Boundary and Water\n       Commission (IBWC) ensure that its Information Management Division reviews and\n       approves software prior to installation on IBWC assets, as required by National Institute\n       of Standards and Technology Special Publication 800-53, Revision 3.\n\n       (SBU) Management Response: IBWC concurred with the recommendation, stating the\n       currently proposed software upgrade of the existing SBIWTP SCADA system is being\n       reviewed before it was procured and that this action was \xe2\x80\x9cevidence that an approval\n       process is in place.\xe2\x80\x9d IBWC further stated, \xe2\x80\x9cMods to the existing contract currently reflect\n       this change.\xe2\x80\x9d\n\n       (SBU) OIG Reply. OIG considers the recommendation resolved. This recommendation\n       can be closed when OIG reviews and approves documentation showing that IBWC has\n       ensured that its IMD has reviewed and approved software before it is installed on IBWC\n       assets as required.\n\nL. (U) Security Capital Planning\n        (U) In FY 2011, OIG reported that information security costs were not integrated into\nIBWC\xe2\x80\x99s Capital Planning and Investment Control process. During recent audit fieldwork, OIG\nfound that IBWC still had not provided OMB with a detailed explanation for major investments\nrelated to its projected IT security expenditures. An IBWC official stated that IBWC did not\nprovide OMB with a detailed explanation of IT security expenses because IBWC is a small\norganization and its budget requirements are not large enough to report to OMB. According to\nOIG\xe2\x80\x99s FY 2011 report, IBWC had not always considered SCADA systems, valued at $2 million,\nas part of its total IT security assets to meet OMB\xe2\x80\x99s reporting threshold. However, another\nIBWC official stated that IBWC\xe2\x80\x99s total IT security assets, if SCADA systems are included, are\nvalued at approximately $2.5 million, well above IBWC\xe2\x80\x99s estimation of OMB\xe2\x80\x99s $2 million\nreporting threshold. Further, an IBWC official stated that POA&Ms are currently being used to\nidentify and incorporate high-priority tasks into the FY 2014 organizational budget request.\nHowever, the POA&M and capital planning request processes differ and are managed by two\ndifferent positions, requiring close coordination and integration of the two processes to achieve\naccurate and effective requests for IT funding. (Details are addressed in Finding F \xe2\x80\x93 Plans of\nAction and Milestones of this report)\n\n        (U) IBWC had neither developed the enterprise architecture nor integrated the IT\nstrategic plan into the budget process as part of the risk management program. Since the\n\n                                               33\n\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\nenterprise architecture and the strategic plan were not considered in the risk management\nprogram, IBWC may not be requesting funding levels appropriate to the risk exposure. As part\nof the IBWC capital planning request, an IBWC official stated that the POA&Ms were used to\nidentify high priority tasks to improve the IT environment.\n\n        (U) To ensure appropriate allocation of resources to meet IT security projected costs,\nNIST guidance states that an organization \xe2\x80\x9cdetermines, documents, and allocates the resources\nrequired to protect the information system as part of its capital planning and investment control\nprocess\xe2\x80\x9d 64 and \xe2\x80\x9censures that all capital planning and investment requests include the resources\nneeded to implement the information security program and documents all exceptions to this\nrequirement.\xe2\x80\x9d To support security investments NIST guidance states that organizations should\nuse \xe2\x80\x9ca business case/Exhibit 300/Exhibit 53 to record the resources required.\xe2\x80\x9d 65\n\n       (U) Without effective integration of the POA&M and capital planning request processes\nor a well-defined enterprise architecture and IT strategic plan, IT funding prioritizations may be\nnegatively affected. Inadequate planning increases the risk that requests for IT security funding\ninvestments will not receive proper consideration.\n\n           (U) Recommendation 25. OIG recommends that the Chief Information Officer ensure\n           that all information technology assets are accounted for, reported and tracked, and used in\n           the calculation and reporting of Exhibit 300/Exhibit 53\xe2\x80\x99s to the Office of Management\n           and Budget. Additionally, OIG recommends that International Boundary and Water\n           Commission incorporate funding requirements in the information technology strategic\n           plan, as required by National Institute of Standards and Technology Special Publication\n           800-53, Revision 3.\n\n           (U) Management Response. IBWC concurred with the recommendation, stating that it\n           will incorporate costs of IT assets in future budget submissions once all IT assets and\n           system inventories are finalized, which is consistent with OMB guidance.\n\n           (U) OIG Reply. OIG considers the recommendation resolved. This recommendation\n           can be closed when OIG reviews and approves documentation showing that IBWC has\n           ensured that all information technology assets are accounted for, reported and tracked,\n           and used in the calculation and reporting of Exhibit 300/Exhibit 53\xe2\x80\x99s to OMB.\n\nM. (U) Personnel Security\n       (U) IBWC had developed its personnel security program but needs to continue making\nimprovements to its implementation of the program to address weaknesses reported by OIG in\nFY 2011. OIG determined that overall progress had been made toward the implementation of an\neffective personnel security program. Specifically, OIG identified that IBWC had developed a\ntracking mechanism to maintain and provide the status of employees who have been cleared or\n\n\n64\n     (U) NIST SP 800-53, rev. 3, SA-2 \xe2\x80\x9cAllocation of Resources,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n65\n     (U) NIST SP 800-53, rev. 3, PM-3 \xe2\x80\x9cInformation Security Resources,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n\n                                                        34\n\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\nstill require suitability investigation. IBWC had also made progress in completing suitability\nclearances for employees and contractors.\n\n       (SBU) However, IBWC IMD staff that is responsible for the IT security functions have a\n"high- risk\xe2\x80\x9d position level and, per IBWC personnel security procedures, should have a higher\nlevel investigation requirement. OIG determined that IT personnel investigation requirements\nhad been updated from a National Agency Check with Inquiries to Background Investigation\nbased on IBWC revised personnel security policy and procedure. \xe2\x80\x9cNational Agency Check and\nInquiries is the basic and minimum investigation required on all new Federal employees. It\nconsists of a National Agency Check 66 including written inquiries and searches of records\ncovering specific areas of a person\'s background during the past 5 years. Those inquiries are sent\nto current and past employers, schools attended, references, and local law enforcement\nauthorities.\xe2\x80\x9d \xe2\x80\x9cA Background Investigation is a more in-depth version of the Limited Background\nInvestigation 67 because the personal investigation covers the most recent 5\xe2\x80\x937 years. This\ninvestigation is required of those going into highest risk public trust positions.\xe2\x80\x9d\n\n        (U) OIG identified the following deficiencies:\n\n        \xe2\x80\xa2    (SBU) Three of 21 IBWC contractors at the San Diego wastewater treatment plant\n             had not obtained their suitability adjudication, and the remaining 18 contractors that\n             had received their suitability clearance had not obtained their badges in accordance\n             with Homeland Security Presidential Directive 12. 68 Homeland Security Presidential\n             Directive 12, Policies for a Common Identification Standard for Federal Employees\n             and Contractors, requires background investigations to be conducted on all Federal\n             and contractor employees.\n\n        \xe2\x80\xa2    (SBU) IBWC had 23 employees with access to the IMD working space. Of the 23,\n             only seven are assigned to IMD, and IBWC management determined that six of the\n             employees require a higher level background investigation because of their access to\n             IBWC systems. IBWC had initiated the process of obtaining the higher level\n             investigations for the six employees.\n\n        (U) An IBWC official stated that completing the review process is still ongoing because\nof limited resources. Without fully investigating an employee\'s background followed by the\nadjudication process and subsequent clearance, there is a potential that IBWC employs personnel\nwho are not appropriate for the position to which they have been entrusted. In addition,\nemployees may be granted inappropriate administrator permissions to access IBWC information\n\n66\n   (U) A National Agency Check and Inquiries (NAC) is an integral part of all background investigations; the NAC\nconsists of searches of Office of Personnel Management\'s Security/Suitability Investigations Index (SII); the\nDefense Clearance and Investigations Index (DCII); the Federal Bureau of Investigation Identification Division\'s\nname and fingerprint files, and other files or indices, as necessary.\n67\n   (U) A Limited Background Investigation consists of a National Agency Check and Inquiries, credit search,\npersonal subject interview, and personal interviews by an investigator of subject\'s background during the most\nrecent 3 years.\n68\n   (U) Homeland Security Presidential Directive-12, Policies for a Common Identification Standard for Federal\nEmployees and Contractors, Aug. 27, 2004\n\n                                                       35\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\ntechnology and physical assets. This security weakness could also potentially impact the\nDepartment of State (Department) because the Department had placed OpenNet 69 terminals in\nIBWC workspaces.\n\n        (U) Recommendation 26. OIG recommends that International Boundary and Water\n        Commission finalize its contractors\xe2\x80\x99 suitability clearances, including formal clearance\n        adjudication, and issue badges, as required by Homeland Security Presidential Directive\n        12.\n\n        (SBU) Management Response. IBWC concurred with the recommendation, stating that\n        it had \xe2\x80\x9cinitiated background investigations\xe2\x80\x9d on all 21 contractors, that 16 investigations\n        had been \xe2\x80\x9ccompleted and adjudicated,\xe2\x80\x9d and that the remaining two investigations \xe2\x80\x9care\n        still \xe2\x80\x98open\xe2\x80\x99 pending completion of investigative leads.\xe2\x80\x9d IBWC further that stated that 11\n        contractors had been issued appropriate credentials as required and that the remaining\n        contractors \xe2\x80\x9care pending appointments at credentialing centers.\xe2\x80\x9d\n\n        (U) OIG Reply. OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and approves documentation showing that IBWC has\n        finalized its contractors\xe2\x80\x99 suitability clearances, including formal clearance adjudication,\n        and issued badges, as required.\n\n        (U) Recommendation 27. OIG recommends that International Boundary and Water\n        Commission ensure that the adjudication process is completed for the information\n        technology employees undergoing background investigations.\n\n        (U) Management Response: IBWC concurred with the recommendation, stating that\n        background investigations on all IT personnel had been completed.\n\n        (SBU) OIG Reply. OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and approves documentation showing that IBWC has\n        ensured that the adjudication process has been completed for the IT employees\n        undergoing background investigations.\n\nN. (U) Physical and Environmental Protection\n       (SBU) As reported by OIG for FY 2011, physical and environmental protection controls\nof organizational assets remained a challenge. IBWC could significantly strengthen physical and\nenvironmental protection of organizational assets by improving physical access controls,\nsecuring SCADA control centers and servers, limiting access to server rooms and equipment,\nand addressing environmental protection weaknesses as outlined in NIST guidance. (b) (5)\n                                                                                                     (b) (5)\n\n\n\n\n69\n  (U) OpenNet is the Department of State\xe2\x80\x99s internal network (intranet), providing access to State-specific Web\npages, e-mail, and other resources. Only authorized personnel who meet 12 FAM 621.1a are allowed access to\nOpenNet.\n\n                                                        36\n\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                        SENSITIVE BUT UNCLASSIFIED\n\n(b) (5)\n\n\n\n\n    (U) Physical Protection Weaknesses\n\n            (SBU) While examining physical access controls, OIG found that IBWC should make\n    improvements to protect systems from unauthorized access that could compromise the\n    confidentiality, integrity, and availability of data. IBWC had made progress since FY 2011 by\n    implementing a manual log process for IBWC San Diego contractors to account for the entry and\n    exit of Mexican trucks through the international boundary gate. According to physical access\n    authorizations outlined in NIST guidance, 70 organizations should establish, review, and maintain\n    current lists of employees and contractors with authorized facility access and administer\n    appropriate corresponding credentials.\n\n               (U) Physical Access Devices\n(b) (5)\n\n\n\n\n               (U) Proximity Access Cards\n\n           (SBU) The proximity access cards were controlled by the contractors who are located at\n    the wastewater treatment plant. (b) (5)\n\n\n\n\n               (U) Remote Gate Devices\n\n           (SBU) The remote gate devices are accessible to the San Diego IBWC employees and\n    contractors. (b) (5)\n\n    70\n         (U) NIST SP 800-53, rev. 3, PE-2 \xe2\x80\x9cPhysical Access Authorization,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n\n                                                             37\n\n                                        SENSITIVE BUT UNCLASSIFIED\n\x0c                                      SENSITIVE BUT UNCLASSIFIED\n\n(b) (5)\n\n\n\n\n             (U) According to NIST SP 800-53, Revision 3, 71 \xe2\x80\x9cthe organization develops and keeps\n     current a list of personnel with authorized access to the facility where the information system\n     resides (except for those areas within the facility officially designated as publicly accessible),\n     issues authorization credentials, reviews and approves the access list and authorization\n     credentials [Assignment: organization-defined frequency], removing from the access list\n     personnel no longer requiring access.\xe2\x80\x9d Without proper accountability for and record of remote\n     gate devices, there is an increased risk that the devices could be used for purposes other than\n     work related access to the San Diego wastewater treatment. An IBWC official stated that IBWC\n     was aware of the risks associated with the number of individuals with proximity cards or remote\n     gate devices and was in the process of identifying corrective actions to mitigate the risk.\n\n             (U) Supervisory Control and Data Acquisition Control Centers and Servers\n\n            (SBU) OIG found that IBWC did not enforce physical access authorizations to the\n     information system independent of the physical access controls for the facility. Although there\n     were physical access controls in place at the wastewater treatment plant, (b) (5)\n (b) (5)\n\n\n\n\n     71\n        (U) NIST SP 800-53, rev. 3, PE-2.\n     72\n        (U) According to NIST SP 800-82, \xe2\x80\x9cGuide to Industrial Control Systems (ICS) Security,\xe2\x80\x9d June 2011, \xe2\x80\x9cA SCADA\n     control center performs centralized monitoring and control for field sites over long-distance communications\n     networks, including monitoring alarms and processing status data.\xe2\x80\x9d\n     73\n        (U) According to NIST SP 800-82, a \xe2\x80\x9cProgrammable Logic Controller is generally used for discrete control for\n     specific applications and generally provides regulatory control.\xe2\x80\x9d\n\n                                                           38\n\n                                      SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n(b) (5)\n\n\n\n\n              (U) NIST SP 800-82 74 states:\n\n              \xe2\x80\xa2   (U) Restricting physical access to the [Industrial Control System] network and\n                  devices. Unauthorized physical access to components could cause serious disruption\n                  of the ICS\xe2\x80\x99s functionality. A combination of physical access controls should be used,\n                  such as locks, card readers, and/or guards.\n\n              \xe2\x80\xa2   (U) Protecting individual ICS components from exploitation. This includes\n                  deploying security patches in as expeditious a manner as possible, after testing them\n                  under field conditions; disabling all unused ports and services; restricting ICS user\n                  privileges to only those that are required for each person\xe2\x80\x99s role; tracking and\n                  monitoring audit trails; and using security controls such as antivirus software and file\n                  integrity checking software where technically feasible to prevent, deter, detect, and\n                  mitigate malware.\n\n             (U) Unauthorized access to network devices and administrative functions could allow a\n   user to disrupt Industrial Control Systems operations or monitor Industrial Control Systems\n   network activity. Also, access to network equipment should be controlled to prevent damage or\n   destruction. In addition, improper access to network equipment could lead to any of the\n   following conditions:\n\n              \xe2\x80\xa2   (U) Physical theft of data and hardware.\n              \xe2\x80\xa2   (U) Physical damage or destruction of data and hardware.\n              \xe2\x80\xa2   (U) Unauthorized changes to the security environment (e.g., altering access control\n                  lists to permit attacks to enter a network).\n              \xe2\x80\xa2   (U) Unauthorized interception and manipulation of network activity.\n              \xe2\x80\xa2   (U) Disconnection of physical data links or connection of unauthorized data links.\n\n              (U) Server Rooms and Equipment Access\n\n              (U) OIG identified weaknesses in physical controls to the server room (b) (5)\n                                                                             at the IBWC\xe2\x80\x99s U. S.\n   Section headquarters in El Paso, the IBWC field office in Fort Hancock, and at the San Diego\n   wastewater treatment plant. Following OIG recommendations in FY 2011, IBWC had\n   implemented a proximity card reader to limit access to authorized personnel to the second floor\n   server room in El Paso. The San Diego and the Yuma field offices had installed a cipher lock\n   that restricts access to only authorized personnel as well as bolting their server racks to the floor.\n\n\n   74\n        (U) NIST SP 800-82, \xe2\x80\x9cExecutive Summary,\xe2\x80\x9d June 2011.\n\n                                                         39\n\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n\n             (U) OIG observed the following physical control deficiencies:\n\n               \xe2\x80\xa2       (U) Third floor equipment room in El Paso and the Fort Hancock field office had\n                       not been restricted to authorized personnel.\n\n               \xe2\x80\xa2       (U) All IBWC El Paso file server racks were not locked.\n\n               \xe2\x80\xa2       (U) IBWC El Paso and the San Diego wastewater treatment plant server racks\n                       were not bolted to the floor.\n\n          (U) According to NIST SP 800-53, Revision 3, 75 \xe2\x80\x9cthe organization develops and keeps\ncurrent a list of personnel with authorized access to the facility where the information system\nresides (except for those areas within the facility officially designated as publicly accessible),\nissues authorization credentials, reviews and approves the access list and authorization\ncredentials [Assignment: organization-defined frequency], removing, from the access list\npersonnel no longer requiring access.\xe2\x80\x9d An IBWC official stated that no formal physical and\nenvironmental protection plan existed. Without an effective physical protection plan, personnel\nmay be unaware of risks that could compromise the confidentiality, integrity, and availability of\ndata.\n\n(U) Environmental Protection Weaknesses\n\n          (U) Environmental protection controls are designed to protect employee safety and IT\nassets from damage and destruction. OIG determined that some environmental protections in\nplace at IBWC offices were insufficient to adequately protect personnel and property.\nSpecifically, OIG found the following environmental protection weaknesses:\n\n                   \xe2\x80\xa2     (U) IBWC San Diego and Yuma field offices had not maintained fire\n                         suppression and detection devices sensitive to the water and humidity\n                         requirements of electrical equipment. For example, although the Yuma field\n                         office had installed a sprinkler system in its server room to combat fire hazards,\n                         the resulting water from the sprinkler system, if activated, could damage\n                         sensitive electronic equipment.\n\n                   \xe2\x80\xa2     (U) The IBWC San Diego field office did not have a way to shut down\n                         electricity or provide emergency lighting within the computer area in the event\n                         of an emergency, which could result in damage to equipment or injury to\n                         personnel.\n\n            (U) NIST SP 800-53, Revision 3, 76 states that \xe2\x80\x9cthe organization protects power\n       equipment and power cabling for the information system from damage and destruction.\xe2\x80\x9d\n       NIST SP 800-53, Revision 3, also states the following:\n\n\n75\n     (U) NIST SP 800-53, rev. 3, PE-2.\n76\n     (U) NIST SP 800-53, rev. 3, PE-9 \xe2\x80\x9cPower Equipment and Power Cabling,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n\n                                                       40\n\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n            \xe2\x80\xa2   (U) \xe2\x80\x9cThe organization provides the capability of shutting off power to the\n                information system or individual system components in emergency situations. 77\n\n            \xe2\x80\xa2   (U) The organization provides a short-term uninterruptible power supply to\n                facilitate an orderly shutdown of the information system in the event of a primary\n                power source loss. 78\n\n            \xe2\x80\xa2   (U) The organization employs and maintains automatic emergency lighting for the\n                information system that activates in the event of a power outage or disruption and\n                that covers emergency exits and evacuation routes within the facility. 79\n\n            \xe2\x80\xa2   (U) The organization employs and maintains fire suppression and detection\n                devices/systems for the information system that are supported by an independent\n                energy source.\xe2\x80\x9d 80\n\n            (U) An IBWC official stated that no formal physical and environmental protection plan\n     existed. Without an effective environmental protection plan, personnel may be unaware of\n     risks that could result in injuries to personnel and damage or destruction of IBWC IT assets.\n\n        (U) Recommendation 28. OIG recommends that the International Boundary and Water\n        Commission develop and implement chain-of-custody procedures to control access to the\n        proximity access cards and remote gate devices along the international border.\n\n        (SBU) Management Response. IBWC concurred with the recommendation, stating that\n        the San Diego Field Office Area Operations Manager, \xe2\x80\x9cin coordination with the Veolia\n        Superintendant,\xe2\x80\x9d had implemented an accountability plan that \xe2\x80\x9cresponds to necessary\n        procedures and controls over proximity access cards and remote gate devices\xe2\x80\x9d and that\n        the policy and procedures had been updated and are being finalized.\n\n        (U) OIG Reply. OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and approves documentation showing that IBWC has\n        developed and implemented chain-of-custody procedures to control access to the\n        proximity access cards and remote gate devices along the international border.\n\n        (U) Recommendation 29. OIG recommends that the International Boundary and Water\n        Commission develop and implement physical access controls to restrict access to the\n        Supervisory Control and Data Acquisition control centers, Programmable Logic\n        Controller, and file servers, as required by National Institute of Standards and\n        Technology Special Publication 800-82.\n\n        (SBU) Management Response. IBWC concurred with the recommendation, stating that\n        the current update to the existing SCADA System at the SBIWTP was being evaluated to\n77\n   (U) NIST SP 800-53, rev. 3, PE-10 \xe2\x80\x9cEmergency Shutoff,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n78\n   (U) NIST SP 800-53, rev. 3, PE-11 \xe2\x80\x9cEmergency Power,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n79\n   (U) NIST SP 800-53, rev. 3, PE-12 \xe2\x80\x9cEmergency Lighting,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n80\n   (U) NIST SP 800-53, rev. 3, PE-13 \xe2\x80\x9cFire Protection,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n\n                                                     41\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                      SENSITIVE BUT UNCLASSIFIED\n\nensure that the items specified in the recommendation were addressed, including the\n\xe2\x80\x9cphysical access, deficiencies and requirement of auto-locking screens for PLC and HMI\ninterfaces throughout the plant.\xe2\x80\x9d IBWC stated that it anticipated having the new security\nfeatures and updated systems in place by September 2013.\n\n(U) OIG Reply. OIG considers the recommendation resolved. This recommendation\ncan be closed when OIG reviews and approves documentation showing that IBWC has\ndeveloped and implemented physical access controls to restrict access to the SCADA\ncontrol centers, PLC, and file servers as required.\n\n(U) Recommendation 30. OIG recommends that the International Boundary and Water\nCommission restrict access to file servers at its San Diego, CA, wastewater treatment\nplant, the field offices in Fort Hancock, TX, and its headquarters in El Paso, TX, and\nensure the servers are attached to the floor to prevent damage to equipment or harm to\nemployees, as required by National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\n(SBU) Management Response. IBWC concurred with the recommendation, stating that\nthe current proposed update to the existing SCADA System at the SBIWTP was being\nevaluated to ensure that the items specified in the recommendation are addressed,\nincluding the physical access to servers at the SBWITP. IBWC further stated that a \xe2\x80\x9chalf\nrack\xe2\x80\x9d had been installed at the Ft. Hancock office and that this rack restricted access to\nnetwork components installed there. IBWC stated that it was finalizing work that would\nexpand the IBWC LAN room, \xe2\x80\x9cproviding more sufficient cooling, allow for growth and\naddress the requirement of having all server racks bolted to the floor to prevent damage\nto equipment or harm to employees.\xe2\x80\x9d\n\n(U) OIG Reply. OIG considers the recommendation resolved. This recommendation\ncan be closed when OIG reviews and approves documentation showing that IBWC has\nrestricted access to file servers at its San Diego, CA, wastewater treatment plant and the\nfield offices in Fort Hancock and its headquarters in El Paso and ensures that the servers\nare attached to the floor to prevent damage to equipment or harm to employees as\nrequired.\n\n(U) Recommendation 31. OIG recommends that the International Boundary and Water\nCommission determine the most cost-effective protective measures to prevent fire and\ndamage to file servers, as required by National Institute of Standards and Technology\nSpecial Publication 800-53, Revision 3.\n\n(U) Management Response. IBWC concurred with the recommendation, stating that an\nassessment of all IBWC server rooms would be conducted in early 2013 \xe2\x80\x9cto determine\nthe most cost-effective protective measures to prevent fire and damage to file servers.\xe2\x80\x9d\n\n(U) OIG Reply. OIG considers the recommendation resolved. This recommendation\ncan be closed when OIG reviews and approves documentation showing that IBWC has\n\n\n                                        42\n\n                      SENSITIVE BUT UNCLASSIFIED\n\x0c                      SENSITIVE BUT UNCLASSIFIED\n\ndetermined the most cost-effective protective measures to prevent fire and damage to file\nservers as required.\n\n\n\n\n                                       43\n\n                      SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n\n                              (U) List of Recommendations\n\n(U) Recommendation 1. OIG recommends that the Chief Information Officer conduct an\ninventory to identify all information technology assets, including Supervisory Control and Data\nAcquisition systems for International Boundary and Water Commission.\n\n(U) Recommendation 2. OIG recommends that the Chief Information Officer conduct an\nannual inventory of information technology assets and update the full system inventory when\nchanges are made to those information systems operated by or under the control of the\nInternational Boundary and Water Commission (IBWC) or by third-party contractors or agencies\non behalf of IBWC, as required by the Federal Information Security Management Act.\n\n(U) Recommendation 3. OIG recommends that the Chief Information Officer develop a risk\nmanagement strategy, which includes the information technology strategic plan and the\nenterprise architecture at the organizational level, for assessing, addressing, and monitoring\ninformation security risks, as required by National Institute of Standards and Technology Special\nPublication 800-37, Revision 1.\n\n(U) Recommendation 4. OIG recommends that the Chief Information Officer complete the\nsecurity documents and the testing of International Boundary and Water Commission\ninformation technology assets.\n\n(SBU) Recommendation 5. OIG recommends that the Chief Information Officer develop the\nsecurity assessment and authorization packages for the Geographic Information System and\nSupervisory Control and Data Acquisition systems and update the security assessment and\nauthorization package for the General Support System, as required by National Institute of\nStandards and Technology Special Publication (NIST SP) 800-53, Revision 3 and NIST SP 800-\n82.\n\n(U) Recommendation 6. OIG recommends that the Chief Information Officer improve existing\nprocedures to ensure security assessment and authorization packages, system security plans, and\nsecurity assessment reports are updated, as required by National Institute of Standards and\nTechnology Special Publication (NIST SP) 800-37, Revision 1 and NIST SP 800-53, Revision 3.\n\n(U) Recommendation 7. OIG recommends that the Chief Information Officer ensure that\nannual security assessments of a subset of a system\xe2\x80\x99s security controls are conducted, as required\nby National Institute of Standards and Technology Special Publication 800-37, Revision 1.\n\n(U) Recommendation 8. OIG recommends the Chief Information Officer develop and\nimplement configuration management and testing procedures including, but not limited to, patch\nmanagement and periodic assessments of compliance with the implemented procedures, as\nrequired by National Institute of Standards and Technology (NIST) Special Publication (SP)\n800-53, Revision 3, and NIST SP 800-40, Version 2.0.\n\n\n                                               44\n\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n(U) Recommendation 9. OIG recommends that the Chief Information Officer develop and\nimplement procedures for the oversight of all systems and hardware including, but not limited to,\npatch management and periodic assessments of compliance with implemented procedures that\nare part of the International Boundary and Water Commission operations, as required by\nNational Institute of Standards and Technology Special Publication 800-53, Revision 3.\n\n(U) Recommendation 10. OIG recommends the Chief Information Officer incorporate the\nupdated incident report template into the incident response and reporting procedures and\nperiodically assess compliance with the procedures, as required by National Institute of\nStandards and Technology Special Publication 800-53, Revision 3.\n\n(U) Recommendation 11. OIG recommends that the Chief Information Officer ensure the\nsecurity awareness training policy requiring all International Boundary and Water Commission\npersonnel to attend initial security awareness training is finalized and then ensure that the\npersonnel take the training before they are provided access to information technology systems, as\nrequired by National Institute of Standards and Technology Special Publication 800-53, Revision\n3, and Office of Management and Budget Circular No. A-130.\n\n(U) Recommendation 12. OIG recommends that the Chief Information Officer ensure all\nInternational Boundary and Water Commission personnel attend security awareness refresher\ntraining and suspend access to information technology systems and assets when personnel fail to\nsuccessfully complete the training, as required by National Institute of Standards and\nTechnology Special Publication SP 800-53, Revision 3, and Office of Management and Budget\nCircular No. A-130.\n\n(U) Recommendation 13. OIG recommends that the Chief Information Officer ensure the\nspecialized security training requirement for International Boundary and Water Commission\npersonnel with significant security responsibilities is completed so that the personnel are able to\nmaintain their professional proficiency, as required by National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3.\n\n(U) Recommendation 14. OIG recommends the Chief Information Officer fully implement a\nPlan of Action and Milestones process to include vulnerabilities identified from all sources and\nupdate milestone dates, as required by Office of Management and Budget Memorandum M-08-\n21 and NIST Special Publication 800-53, Revision 3.\n\n(U) Recommendation 15. OIG recommends that the Chief Information Officer finalize and\nimplement International Boundary and Water Commission remote access policy and procedure,\nas required by National Institute of Standards and Technology Special Publication SP 800-53,\nRevision 3.\n\n(SBU) Recommendation 16. OIG recommends that the Chief Information Officer implement\nremote access controls that is enforced with two-factor authentication and encryption of data on\nmobile devices, as required by the Office of Management and Budget Memorandum M-06-16.\n\n\n\n                                                 45\n\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n    (U) Recommendation 17. OIG recommends that the Chief Information Officer develop and\n    implement a wireless policy and procedures, as required by National Institute of Standards and\n    Technology Special Publication SP 800-53, Revision 3.\n\n    (U) Recommendation 18. OIG recommends that the Chief Information Officer update and\n    implement identification and authentication management procedures to include the e-\n    authentication procedures, as required by National Institute of Standards and Technology Special\n    Publication 800-53, Revision 3.\n\n    (U) Recommendation 19. OIG recommends that the Chief Information Officer perform a risk\n    assessment identifying the risks to system security, as required by the Office of Management and\n    Budget Memorandum M-04-04.\n\n    (SBU) Recommendation 20. OIG recommends that the Chief Information Officer develop and\n    implement policies and procedures to perform continuous monitoring to include automated\n    routine vulnerability assessments for the General Support System, the Geographical Information\n    System, and the Supervisory Control and Data Acquisition systems. The results of such security\n    assessments should be reviewed, and Plans of Action and Milestones should be developed for the\n    improvement of the security controls of major systems, as required by National Institute of\n    Standards and Technology Special Publication 800-53, Revision 3.\n(b) (5)\n\n\n\n\n    (SBU) Recommendation 22. OIG recommends that the International Boundary and Water\n    Commission finalize the continuity of operations site and conduct testing for operational\n    effectiveness of all major systems, as required by National Institute of Standards and Technology\n    Special Publication 800-34, Revision 1.\n\n    (U) Recommendation 23. OIG recommends that the International Boundary and Water\n    Commission ensure that its Information Management Division is responsible for the oversight of\n    information technology assets purchased and maintained by the contractor in support of\n    operations at the wastewater treatment plant in San Diego, CA, as required by National Institute\n    of Standards and Technology Special Publications (SP) 800-53, Revision 3, and SP 800-82.\n\n    (U) Recommendation 24. OIG recommends that the International Boundary and Water\n    Commission (IBWC) ensure that its Information Management Division reviews and approves\n    software prior to installation on IBWC assets, as required by National Institute of Standards and\n    Technology Special Publication 800-53, Revision 3.\n\n    (U) Recommendation 25. OIG recommends that the Chief Information Officer ensure that all\n    information technology assets are accounted for, reported and tracked, and used in the\n    calculation and reporting of Exhibit 300/Exhibit 53\xe2\x80\x99s to the Office of Management and Budget.\n\n                                                   46\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nAdditionally, OIG recommends that International Boundary and Water Commission incorporate\nfunding requirements in the information technology strategic plan, as required by National\nInstitute of Standards and Technology Special Publication 800-53, Revision 3.\n\n(U) Recommendation 26. OIG recommends that International Boundary and Water\nCommission finalize its contractors\xe2\x80\x99 suitability clearances, including formal clearance\nadjudication, and issue badges, as required by Homeland Security Presidential Directive 12.\n\n(U) Recommendation 27. OIG recommends that International Boundary and Water\nCommission ensure that the adjudication process is completed for the information technology\nemployees undergoing background investigations.\n\n(U) Recommendation 28. OIG recommends that the International Boundary and Water\nCommission develop and implement chain-of-custody procedures to control access to the\nproximity access cards and remote gate devices along the international border.\n\n(U) Recommendation 29. OIG recommends that the International Boundary and Water\nCommission develop and implement physical access controls to restrict access to the Supervisory\nControl and Data Acquisition control centers, Programmable Logic Controller, and file servers,\nas required by National Institute of Standards and Technology Special Publication 800-82.\n\n(U) Recommendation 30. OIG recommends that the International Boundary and Water\nCommission restrict access to file servers at its San Diego, CA, wastewater treatment plant, the\nfield offices in Fort Hancock, TX, and its headquarters in El Paso, TX, and ensure the servers are\nattached to the floor to prevent damage to equipment or harm to employees, as required by\nNational Institute of Standards and Technology Special Publication 800-53, Revision 3.\n\n(U) Recommendation 31. OIG recommends that the International Boundary and Water\nCommission determine the most cost-effective protective measures to prevent fire and damage to\nfile servers, as required by National Institute of Standards and Technology Special Publication\n800-53, Revision 3.\n\n\n\n\n                                               47\n\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                                         (U) Appendix A\n\n                           (U) Objective, Scope, and Methodology\n\n        (U) The objective of this audit was to determine the effectiveness of U.S. Section,\nInternational Boundary and Water Commission (IBWC), information security program and\npractices.\n\n        (U) The Federal Information Security Management Act of 2002 (FISMA) requires each\nFederal agency to develop, document, and implement an agency-wide program to provide\ninformation security for the information systems that support the operations and assets of the\nagency, including those provided or managed by another agency, contractor, or another source.\nTo ensure the adequacy and effectiveness of these controls, FISMA requires the agency\xe2\x80\x99s\ninspector general or an independent external auditor to perform annual reviews of the\ninformation security program and to report those results to the Office of Management and\nBudget (OMB) and the Department of Homeland Security (DHS). 1 DHS uses this data to assist\nin oversight responsibilities and to prepare its annual report to Congress regarding agency\ncompliance with FISMA.\n\n        (U) To fulfill its responsibilities required by FISMA, the Office of Inspector General\n(OIG), Office of Audits, conducted fieldwork at the El Paso, TX, headquarters; the San Diego,\nCA, Yuma, AZ, and Fort Hancock, TX, field offices; and the continuity of operations site at Las\nCruces, NM, to evaluate the IBWC information technology (IT) security program and practices\nand to determine the effectiveness of the program for FY 2012. OIG interviewed IBWC senior\nmanagement, employees, and contractors and evaluated managerial effectiveness and operational\ncontrols. OIG observed daily operations and obtained evidence to support OIG conclusions and\nrecommendations and collected written documents to augment observations and interviews.\n\n        (U) OIG conducted its audit from April 2012 through July 2012 and its fieldwork from\nApril 2012 through June 2012. In addition, OIG performed the audit in accordance with\ngenerally accepted government auditing standards (GAGAS) and in accordance with FISMA,\nOMB, and National Institute of Standards and Technology Special Publication guidance.\nGAGAS requires an audit to be planned and performed to obtain sufficient, appropriate evidence\nto provide a reasonable basis for its findings and conclusions based on the audit objective. OIG\nbelieves that the evidence obtained provides a reasonable basis for its findings and conclusions\nbased on the audit objective.\n\n        (U) OIG discussed its findings with and proposed recommendations with to IBWC\nofficials on August 23, 2012. Additionally, an interim discussion was conducted with IBWC\nInformation Management Division personnel.\n\n\n\n1\n (U) OMB Memorandum M-10-28, \xe2\x80\x9cClarifying Cybersecurity Responsibilities and Activities of the Executive\nOffice of the President and the Department of Homeland Security (DHS), July 6, 2010.\n\n                                                    48\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n(U) Work Related to Internal Controls\n\n        (U) OIG assessed the adequacy of internal controls by performing manual assessments of\ninternal controls related to the areas audited through which OIG gained an understanding of the\neffectiveness of IBWC\xe2\x80\x99s FISMA mandated information security program. OIG identified and\ndiscussed exceptions with IBWC officials to better understand the reasons behind internal\ncontrol challenges. Through conversations with IBWC officials, OIG gained an understanding\nof the policies and procedures related to IBWC\xe2\x80\x99s information security program. OIG learned\nhow IBWC oversees the development of an information security program to protect information\nand information systems, to report timely results regarding the security posture of information\nand information systems, and to implement corrective measures to address previously identified\nFISMA findings and recommendations. OIG\xe2\x80\x99s conclusions on the internal control deficiencies\nidentified during this audit are detailed in the \xe2\x80\x9cAudit Results\xe2\x80\x9d section of this report.\n\n(U) Use of Computer-Processed Data and Data Reliability\n\n        (U) The audit team used computer-generated data from IBWC during this audit. To\nassess the reliability of computer-processed data, OIG reviewed electronic documentation related\nto IT personnel investigation requirements and performed tracing of data to source\ndocumentation. Specifically, OIG obtained and reviewed personnel security policies with\nmembers of the Information Management Division (IMD) to identify the IBWC staff responsible\nfor IT security functions requiring background investigations. OIG determined that the data\nwere sufficiently reliable to support the conclusions and recommendations of this report.\n\n\n\n\n                                              49\n\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                                            (U) Appendix B\n\n                        (U) Office of Inspector General\n          FY 2011 Federal Information Security Management Act Report\n                          Statuses of Recommendations\n        (U) The FY 2011 Federal Information Security Management Act (FISMA) evaluation\nwas conducted by the Department of State, Office of Inspector General (OIG), Office of Audits,\nand contained 21 recommendations. 1 The audit team reviewed remedial actions implemented by\nU. S. Section International Boundary and Water Commission (IBWC) management to respond to\nthe findings identified in the OIG FY 2011 FISMA report. Below is the current status of each\nrecommendation:\n\n(U) Recommendation 1. OIG recommends that the Chief Information Officer ensure that all\nassets are accounted for in the inventory system and develop a process that updates, not less than\nannually, the International Boundary and Water Commission\xe2\x80\x99s (IBWC) system inventory when\nchanges are made to those information systems operated by or under the control of IBWC or by\nthird-party contractors or agencies on behalf of IBWC, as required by the Federal Information\nSecurity Management Act.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendations 1 and 2\n(Finding A) in the FY 2012 report.\n\n(U) Recommendation 2. OIG recommends that the Chief Information Officer improve the risk\nmanagement strategy at the organizational level for assessing, responding to, and monitoring\ninformation security risk, as required in National Institute of Standards and Technology Special\nPublication 800-37, Revision 1.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 3 (Finding\nB) in the FY 2012 report.\n\n(U) Recommendation 3. OIG recommends that the Chief Information Officer:\n\n    \xe2\x80\xa2 (SBU) Develop the security assessment and authorization packages for the Supervisory\n      Control and Data Acquisition systems as required by National Institute of Standards and\n      Technology Special Publication (NIST SP) 800-82 and NIST SP 800-53, Revision 3.\n    \xe2\x80\xa2 (U) Improve existing procedures to ensure security assessment and authorization\n      packages are updated every 3 years or when a significant change occurs, as required by\n      NIST SP 800-37, Revision 1.\n    \xe2\x80\xa2 (U) Improve existing procedures to ensure system security plans and security assessment\n      reports are updated as required to comply with the security baseline controls in NIST SP\n      800-53, Revision 3.\n\n1\n (U) Evaluation of the United States Section, International Boundary and Water Commission, Information Security\nProgram (AUD/IT-12-16, November 2011).\n\n                                                      50\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\n   \xe2\x80\xa2 (SBU) Perform annual security assessments of a subset of a system\xe2\x80\x99s security controls, as\n       required by NIST SP 800-37, Revision 1.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendations 4 - 7\n(Finding B) in the FY 2012 report.\n\n(SBU) Recommendation 4. OIG recommends the Chief Information Officer develop and\nimplement security configuration management procedures and periodically assess compliance\nwith the implemented procedures, as required by National Institute of Standards and Technology\nSpecial Publication 800-53, Revision 3.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 8 (Finding\nC) in the FY 2012 report.\n\n(U) Recommendation 5. OIG recommends that the Chief Information Officer develop\nprocedures for the oversight of all systems and hardware that are part of the International\nBoundary and Water Commission operations, as required by National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 9 (Finding\nC) in the FY 2012 report.\n\n(U) Recommendation 6. OIG recommends that the Chief Information Officer enforce the\nsecurity awareness training policy requiring all personnel to attend initial and refresher security\nawareness training and enforce consequences of non-compliance for personnel who do not\nsuccessfully complete the security awareness training, as required by National Institute of\nStandards and Technology Special Publication SP 800-53, Revision 3, and Office of\nManagement and Budget Circular No. A-130.\n\n(U) Status: Closed January 2012. IBWC\xe2\x80\x99s Information Management Division (IMD) conducted\nfive information technology (IT) security training classes immediately after the OIG visit in\nAugust 2011, resulting in 235 of 272 employees completing annual IT security training. IBWC\nacquired a cloud based training system that will allow for a much more efficient method to\nprovide IT security training to IBWC personnel.\n\n(U) Recommendation 7. OIG recommends that the Chief Information Officer enforce the\nsecurity awareness training requirement for those personnel with significant security\nresponsibilities, as required by National Institute of Standards and Technology Special\nPublication SP 800-53, Revision 3, and Office of Management and Budget Circular No. A-130.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 13\n(Finding E) in the FY 2012 report.\n\n(U) Recommendation 8. OIG recommends the Chief Information Officer implement a Plan of\nAction and Milestones (POA&M) process and review the quarterly POA&M reports and all\n\n\n\n                                                 51\n\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nelements of the POA&M, as required by Office of Management and Budget (OMB) M-02-01\nand M-08-21.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 14\n(Finding F) in the FY 2012 report.\n\n(SBU) Recommendation 9. OIG recommends that the Chief Information Officer develop a\nremote access policy and procedure, as required by National Institute of Standards and\nTechnology Special Publication SP 800-53, Revision 3.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 15\n(Finding G) in the FY 2012 report.\n\n(SBU) Recommendation 10. OIG recommends that the Chief Information Officer develop and\nimplement policies and procedures to perform continuous monitoring to include automated\nroutine vulnerability assessments for all major systems and general support systems (GSS). The\nresults of such security assessments should be reviewed, and Plans of Action and Milestones\nshould be developed for the improvement of the security controls of major systems and GSS, as\nrequired by National Institute of Standards and Technology Special Publications 800-53,\nRevision 3, and 800-53A.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 20\n(Finding I) in the FY 2012 report.\n\n(SBU) Recommendation 11. OIG recommends that the International Boundary and Water\nCommission finalize the Continuity of Operations site and conduct testing for operational\neffectiveness, as required by National Institute of Standards and Technology Special Publication\n800-34, Revision 1.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 22\n(Finding J) in the FY 2012 report.\n\n(SBU) Recommendation 12. OIG recommends that the International Boundary and Water\nCommission identify an off-site backup for its field offices in Nogales, AZ, San Diego, CA, and\nYuma, AZ as required by National Institute of Standards and Technology Special Publication\n800-34, Revision 1.\n\n(U) Status: Closed April 2012. IBWC acquired the needed client to allow for the full offsite\nbackup of all field offices.\n\n(U) Recommendation 13. OIG recommends that the International Boundary and Water\nCommission ensure that its Information Management Division is involved in the oversight of\ninformation technology assets purchased and maintained by the contractor in support of\noperations at the waste treatment plant in San Diego, CA, as required by National Institute of\nStandards and Technology Special Publications 800-53, Revision 3, and 800-82 and with Office\nof Management and Budget M-11-33.\n\n\n                                               52\n\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 23\n(Finding K) in the FY 2012 report.\n\n(SBU) Recommendation 14. OIG recommends that International Boundary and Water\nCommission (IBWC) ensure that its Information Management Division reviews and approves\nsoftware prior to installation on IBWC assets, as required by National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3, and Office of Management and Budget M-\n11-33.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 24\n(Finding K) in the FY 2012 report.\n\n(U) Recommendation 15. OIG recommends that the Chief Information Officer ensure that all\nfunding for information technology (IT) security investments and IT components is tracked as\nrequired by Office of Management and Budget M-11-33.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 25\n(Finding L) in the FY 2012 report.\n\n(U) Recommendation 16. OIG recommends that International Boundary and Water\nCommission (IBWC) devote attention and resources to ensure that all IBWC employees and\ncontractors undergo background investigations and formal clearance adjudication, as required by\nHomeland Security Presidential Directive 12.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 26 and 27\n(Finding M) in the FY 2012 report.\n\n(SBU) Recommendation 17. OIG recommends that the International Boundary and Water\nCommission develop and implement chain-of-custody procedures to control access to and use of\nremote gate devices along the international border.\n\n(U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 28\n(Finding N) in the FY 2012 report.\n\n(SBU) Recommendation 18. OIG recommends that the International Boundary and Water\nCommission (IBWC) collaborate with the Department of Homeland Security to ensure that\nIBWC-sponsored entry into the United States is appropriately inspected by U.S. Customs and\nBorder Protection.\n\n(U) Status: Closed April 2012. IBWC entered into an agreement with the U.S. Customs and\nBorder Protection, a component of the Department of Homeland Security, detailing the\ninspection actions by U.S. Customs and Border Protection of IBWC-sponsored entry.\n\n(U) Recommendation 19. OIG recommends that the International Boundary and Water\nCommission implement a process to review, update, and approve the Information Management\nDivision staff access list to the server room at its office in El Paso, TX as required by National\nInstitute of Standards and Technology Special Publication 800-53, Revision 3.\n\n                                                53\n\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n   (U) Status: Closed April 2012. IBWC reviewed the access to server room and prepared a\n   current list of Information Management Division staff that has been granted access.\n\n   (U) Recommendation 20. OIG recommends that the International Boundary and Water\n   Commission restrict access to file servers at its San Diego, CA waste treatment plant, the field\n   offices in San Diego and Yuma, AZ, and its headquarters in El Paso, TX and ensure the servers\n   are attached to the floor to prevent damage to equipment or harm to employees, as required by\n   National Institute of Standards and Technology Special Publication 800-53, Revision 3.\n\n   (U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 30\n   (Finding N) in the FY 2012 report.\n(b) (5)\n\n\n\n\n   (U) Status: Closed from the FY 2011 FISMA report. It has become Recommendation 31\n   (Finding N) in the FY 2012 report.\n\n\n\n\n                                                  54\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                                               (U) Appendix C\n\n        (U) International Boundary and Water Commission Response\n\n\n\n\n                             \xef\xbf\xbdATIONAL BOUNDARY AND WATER COMMISSION\n                                  UNITED STATES AND MEXICO\n\nonoc:aorntiCO\\t\xe2\x80\xa2tl2liOfl>a\n  UNITIIOSfAfti$!\xef\xbf\xbdC:riOfl                         October 30,2012\n\n\n\n          Mr. Harold W. Geisel\n          United States Department of State\n          Deputy Inspector General\n          Office of Inspector General\n          Washington, D. C. 20520\n\n          Subject: Evaluation ofthe United States Section, International Boundasy and Water\n          Commission (IBWC) Information Security Program\n\n          Dear Mr. Geisel:\n\n          We appreciate the opportunity to provide a response to your letter dated October 15, 2012. We\n          are pleased to \xef\xbf\xbdport that we have made some progress on the closing of recommendations since\n          your \xef\xbf\xbdnt visit and provide the enclosure detailing our response and status on each of your\n          recommendations, along with supporting documentation that we have available.\n\n          We will continue to keep your office posted on our continued pro\xef\xbf\xbd towards full\n          Implementation ofall recommendations.\n\n          Please advise if you have any questions or if we may be of any assistance.\n\n\n\n\n                                                  J;lL\xef\xbf\xbdEdward Drusmo, P. B.\n                                                       Commissioner\n\n\n\n\n                                                        55\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                                                                        Enclosure\n\n                                OIG Draft Audit Responses\nEvaluation o/the United States Section, International Boundary and Water Commission (IBWC)\n               In/ormation Security Program (AUDII T-XX-XX, October 20 12)\n\n\n\n\nRECOMMENI>ATION I : O IG recommends that the Chief Information Officer conduct an\ninventory to identify all information technology assets, including Supervisory Control and Data\nAcquisition systems fo r International Boundary and Water Commi ssion.\n\n(u)   Ma nagement co ncu rs with the finding and recommendation: The Infonnati on\nManagement Division (lMD) is implementing a comprehensive IT asset inventory to full y\naccount for all IT assets within the fo llowing systems: GSS (and Major application GIS),\nSB IWTP VeoIia, SB IWTP SCADA and Nogales SCADA. The updated inventory accounts for\nall assets located in the GSS server room, wiring closets on the 1st and 3rd floor of the HQ\nbuilding, Ft. Hancock and Las Cruces, which have been revalidated and are now accurately\naccounted for in the IT inventory. The SBIWTP asset inventory has been provided by contractor\nrepresentatives and will be validated in 2013. The Nogales SCADA is in the process of being\nverified by Nogales personnel after the initial inventory of the System was conducted in April\n2012.\n\n*The draft IG report identifies the IBWC \'s inventory of systems as four information systems:\nGSS , GIS and the SCADA systems in Noga les and South Bay International Wastewater\nTreatment Plant (SBIWTP). The IBWC System inventory documentation as documented and\nreported however, consists of: GSS (with Major Application GIS), SBIWTP SCADA, SBIWTP\nAdmin and Nogales SCADA.\n\n\nRECO MM ENDATION 2: DIG recommends that the Chief Information Officer conduct an\nannual inventory of infornlation technology assets and update the full system inventory when\nchanges are made to those information systems operated by or under the control of the\nInternational Boundary and Water Commission OBWC) or by third-party contractors or agencies\non behalf of IBWC, as required by the Federal Infonnation Security Management Act.\n\n(u)  Management concurs wit h the finding and recommendation: An IBWC System\ninventory was completed in 2012 and will be conducting an annual inventory of all four systems\nin 2013. The process for conducting these inventories is being developed.\n\n\nRECOMMENDATION 3: OIG recom mends that the Chi ef In format ion Officer develop a risk\nmanagement strdtegy, which includes the information techno logy strategic plan and the enterprise\narchitecture at the organizational level, for assessing, address ing, and monitoring informat ion\nsecurity risks, as required by National Inst itute of Standards and Technology Special Publication\n800-37, Revision I.\n\n\n\n\n                                                  56\n\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                                                                        Enclosure\n\n                                 OIG Draft Audit Responses\nEvaluation of the United States Section, International Boundary and Water Commission (IBWC)\n                Information Security Program (AUDIIT-XX-XX, October 20 12)\n\n(U) Management concurs with the finding and recommendation: A draft risk management\nframewo rk policy a nd procedure is available in draft form and will be staffed for internal\nreview by November 30, 2012. The IBWC seeks the assistance of your office - DIG - in\nreviewing the documentation to ensure that all requirements are addressed prior to final approval.\nThe IBWC is currently having a risk assessment/pen test conducted by a third party that wi ll\nreveal any potential risks and vulnerabilities present within our GSS. The IMD will use this\ninformation to establish the basis for a renewed Authorization to Operate designation anticipated\nto be in place by January 2013.\n\n\nRECOMMENDATION 4: DIG recommends that the Ch ief Informati on Officer comp lete the\nsecurity documents and the testing of International Boundary and Water Comm ission informati on\ntechnology assets.\n\n(S 8 W Management concurs with the finding and recommendation : An updated System\nSecurity Plan is available for review for the GSS system. System Architecture a nd Design\nRequirements documentation is available for the GIS Major Application and will be used to\nhelp create the System Security Plan required for it. A SSP will be developed for the GIS system\nprior to going into fu ll production. Upgrades to the SBIWTP SCADA and SBIWTP Admi n\nsystems are being reviewed based on initial site assessments and upon approval and\nimplementation; SSP\'s and ST&E\'s will be developed and conducted respectively for each of\nthese systems.\n\n\nRECOMMENDATION 5: DIG recommends that the Chief In formation Officer develop the\nsecurity assessment and authorization packages for the Geographic Information System and\nSupervisory Control and Data Acquisition systems and update the security assessment and\nauthorization package for the General Support System, as required by National Institute of\nStandards and Techno logy Special Publication (N IST SP) 800-53, Revision 3 and NIST SP 800-\n82.\n\n(u) Management concurs with the finding and recommendation : The IMD will develop the\nnecessary security assessments and authorization packages for the GIS and SCADA systems and\nupdate the GSS authorization package as part of FY 2013 priorities.\n\nRECOMMENDATION 6: DIG recommends that the Chief Information Officer improve\nexi sting procedures to ensure security assessment and authorization packages, system security\nplans, and security assessment reports are updated, as required by National Institute of Standards\nand Technology Special Publication (N IST SP) 800-37, Revision 1 and NIST SP 800-53,\nRevision 3.\n\n(U) Managem ent concurs with the finding and recommendation:           The draft Risk\nManagement Framework documentation under review provides a specific time frame for the\n\n                                                2\n\n\n\n\n                                                    57\n\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                           SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                                                                                         Enclosure\n\n                                 OIG Draft Audit Responses\nEvaluation of the United States Section, International Boundary and Water Commission (IBWC)\n                Information Security Program (AUD/IT- XX-XX, October 2012)\n\nAssessment and Authorization (A&A) processes, as well as the regular update and acceptance of\nSystem Security plans and Security Assessments . The draft documentation also includes the\nA&A process, which will be completed every three years or whenever a new Designated\nAccrediting Authority (DAA) is assigned.\n\n\nRECOMMENDATION 7: 010 recommends that the Chief Information Officer ensure that\nannual security assessments of a subset of a system\'s security control s are conducted, as required\nby National Institute of Standards and Technology Special Publication 800-37, Revision 1.\n\n(U) Management concurs with the finding and recommendation: The USIBWC is currently\nhaving a risk assessment and pen test conducted on our GSS system. The Scope of Work\nprovided to the third party security assessment contractor details the work being performed\nconsistent with National Institute of Standards and Technology Special Publication 800-37,\nRevision 1. Results from this assessment will be used to prepare our A&A package, develop\nPoA&M\'s and develop our work plan for 20 13.\n\n\nRECOMM ENDATION 8: OIG recommends the Chief Information Officer develop and\nimplement configuration management and testin g procedures including, but not limited to, patch\nmanagement and periodic assessments of compliance with the implemented procedures, as\nrequired by National Institute of Standards and Techno logy (N IST) Special Publication (SP)\n800-53, Revision 3, and NIST SP 800-40, Version 2.0.\n\n(U) Management concurs with the finding and recommendation: Ex ist ing procedures fo r\npatch management are in the process of being documented and tested to include in the existing\nCM policy and procedure. We have establi shed the IMD Training room as a viable test\nenvironment to conduct analysis and reviews of configuration changes and patches and anticipate\nan approved update to the existing CM po licy by March 20 13.\n\n\nRECOMMENDATION 9: DIG recommends that the Chief Informati on Officer develop and\nimplement procedures fo r the oversight of all systems and hardware includ ing, but not limited to,\npatch management and periodic assessmcnts of compliance with implemented procedures that\nare part of the International Boundary and Water Commission operations, as required by\nNational Institute of Standards and Technology Special Publi cation 800-53, Revision 3.\n\n( U)Management concurs with the finding and recommendation: The USIBWC will begin\nthe development of similar CM policy and procedure for all systems that are part of the IBWC\noperations to include contractor run and SCADA Systems. We anticipate having draft policy in\nplace by March 2013.\n\n\n\n                                                 3\n\n\n\n\n                                                     58\n\n                           SENSITIVE BUT UNCLASSIFIED\n\x0c                           SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                                                                          Enclosure\n\n                                 OIG Draft Audit Responses\nEvaluation of the United States Section, International Boundary and Water Commission (IBWC)\n                Information Security Program (AUD/IT-XX-XX, October 2012)\n\nRECOMMENDATION 10: OIG recommends the Chief Information Officer incorporate the\nupdated incident report template into the incident response and reporting procedures and\nperiodically assess compliance with the procedures, as required by National Institute of\nStandards and Technology Special Publication 800-53, Revision 3.\n\n(U)  Management concu rs with the finding and recommendation: The updated incident\nreport template has been uploaded to the existing draft Incident Response P&P currently being\nupdated to the new directives format initiated by the IBWC. The draft P&P will be completed,\nreviewed and staffed by December 2012 for re-approval by Commissioner.\n\nRECOMMENDATION II : OIG recommends that the Chi ef Information Officer ensure the\nsecurity awareness training policy requiring all lnternational Boundary and Water Commission\npersonnel to attend initial security awareness training is finalized and then ensure that the\npersonnel take the training before they are provided access to information technology systems, as\nrequired by National Institute of Standards and Technology Special Publication 800-53, Revision\n3, and Office of Management and Budget Circular No. A-1 30.\n\n(U)  Management co ncurs with the finding and recommendation : The IMD has updated its\nexisti ng Security Awa reness Training policy and procedure to include the requirements\ndescribed in the recommendation. The policy wi ll be reviewed, reformatted and staffed for\nreview and sent for approval by December 2013.\n\nRecommendation 12: OIG recommends that the Chief Information Officer ensure all\nInternational Boundary and Water Commission personnel attend security awareness refresher\ntraining and suspend access to information technology systems and assets when personnel fail to\nsuccessfully complete the training, as required by National Institute of Standards and\nTechnology Special Publi cation SP 800-53 , Revision 3, and Office of Management and Budget\nCircular No. A-130.\n\n(SBU) Management co ncurs with the finding and recommendation:                 The draft Security\nAwareness Training policy and procedure addresses disciplinary and corrective action the IMD\nwill be authorized to impose on personnel that do not compl y with thi s requirement. For Basic\nIT Security T raining: Total of 192 enrolled, 157 completed, 4 are still in progress and 31 have\nnot started. For those that handle PH : total of67 Enrolled: 61 have completed the training, 4\nhave not started and 2 are in progress. Notifications have been issued to non-compli ant\nemployees and their supervisors. One additional notification of network suspension will be\nissued for failure to comply with requirement.\n\nRecommendation 13: OIG recommends that the Chie f Information Officer ensure the\nspecialized security trai ning requirement for International Boundary and Water Commission\npersonnel with significant security responsi bil ities is completed so that the personnel are able to\nmaintain their professional proficiency, as required by National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3.\n\n                                                 4\n\n\n\n\n                                                     59\n\n                           SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                                                                          Enclosure\n\n                                 OIG Draft Audit Res ponses\nEvaluarion ofrhe United States Section, International BoundGfY and Water Commission (IBWC)\n               Information Security Program (AUD/IT-XX-XX, October 2012)\n\n(SB U) Management concurs with the finding and recommendation: The updatcd policy and\nprocedure addresses this requirement and budgetary requirements to ensure the required training\noccurs will be allocated on an annual basis. For those with significant IT responsibilities: 7 out\nof 7 have completed training.\n\n\nReco mm enda tion 14: OIG recommends the Chi ef Infonnation Officer fu lly implement a Plan\nof Action and Milestones process to include vulnerabili ties identifi ed from all sources and update\nmilestone dates, as required by Office of Management and Budget Memorandum M-08- 21 and\nNIST Special Publication 800-53, Revision 3.\n\n(S BU) Ma nagement concurs with the finding and recomm endation : The IBWC is using its\nPoA&M process to develop, maintain and report the IMD work plan and track progress towards\nclosing each entry. Identified weaknesses and vulnerabilities identified at the conclusion of the\nongoing third party risk assessment and other internal assessments will be entered into the\nPoA&M database so necessary resources and manpower are all ocated to address each issue.\nRecently discovered vulnerabilities with printers, Video Teleconferenci ng, USB Thumb dri ves\nand laptops have been entered as new PoA&Ms recently and are being prioritized and scheduled\nfor remediation. Regular updates of PoA&Ms were included in this year\'s employee mid -year\nreviews and employees were notified that their regular update and maintenance of the PoA&M\ndatabase is now a measurable perfonnance element that will affect their annual rating.\n\n\nReco mmendation 15: OIG recommends that the Chief Infonnation Officer finalize and\nimplement International Boundary and Water Commission remote access policy and procedure,\nas required by National Institute of Standards and Technology Special Publication SP 800-53,\nRevision 3.\n\n(U) Mana gement concurs with the finding and recommend ation: The Access Control\npo licy and procedu re is being updated and will be rcady for review and final approval by\nCommissioner in December 2013 . The updates address the additional weaknesses found by the\nIG in remote access and wireless devices.\n\n\nRecomm endation 16: OIG recommends that the Chief Infonnation Officer implement remote\naccess controls that is enforced with two-factor authentication and encryption of data on mobile\ndevices, as required by the Office of Management and Budget Memorandum M-06- l6.\n\n(S BU) Ma nagement co ncu rs with the finding and recommendation: A solution to address\nthe lack of full disk encryption on all IBWC issued laptops was purchased in FYI2 (Lumension).\nA complete inventory and recall of all laptops is in the process of being conducted that will\nrequire the return of all laptops to HQ for implementation of this software and complete any\nnecessary updates. The IMD has also stepped up its recall of all non-encrypted USB thumb\ndrives and is replacing them with encrypted lronKey thumb drives.\n                                                 5\n\n\n\n\n                                                     60\n\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                                                                       Enclosure\n\n                                  OIG Draft Audit Responses\nEvaluation of the United States Section, International Boundary and Water Commission (IBWC)\n                InJormation Security Program (AUDIIT-XX-XX, October 2012)\n\n\nAdditionally. laptops that are configured for remote access to the IBWC network via VPN will\nbe configured with two factor authentication, The inventory of remote users and their remote\naccess capabilities is being documented. This will allow us to identify all users who are allowed\nto use remote access to connect to the IBWC network to include privileged functions.\n\nRecommendation 17: OIG recommends that the Chief Infonnation Officer develop and\nimplement a wireless policy and procedures, as required by National Institute of Standards and\nTechnology Special Publi cation SP 800-53, Revision 3.\n\nill) Management concurs with the finding and recommendation: The IMD will include\nwireless policy and procedures in the existing update to the Access Control policy and procedure\nthat will address usage restrictions, access procedures, monitoring unauthorized wireless access\nand enforcing requirements for wireless connections to the GSS. There is one wireless access\npoint within rBWC HQ and the existing documentation that lists the current authorized devices\nhas been updated.\n\n\nRecommend ation 18: OIG recommends that the Chief Infonnation Officer update and\nimplement identification and authentication management procedures to include the e-\nauthentication procedures, as required by National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\n(u) Management concurs with the finding and recommendation: The IMD is updating the\nexisting Identification and Authentication policy and procedure to comply with the new IBWC\ndirect ive fonnat and include specific language and procedures that will require verification of\nsignatures by ISSO on all Rules of Behavior documents prior to issuing initial user credentials.\n\nRecommen dation 19: DIG recommends that the Chief Infonnation Officer perfonn a risk\nassessment identifying the risks to system security, as required by the Office of Management and\nBudget Memorandum M-04-04.\n\n(U)  Management concurs with the finding and recommendation: The IMD is currently\ncreating documentation on required risk assessments and testing pri or to implementation of any\nnew technology or access to services required by the agency in accordance with OMB\nMemorandum M-04-04.\n\nRecommendation 20: OIG recommends that the Chief Information Officer develop and\nimplement policies and procedures to pcrfonn continuous monitoring to include automated\nroutine vulnerability assessments fo r the General Support System, the Geographical Infonnation\nSystem, and the Supervisory Control and Data Acqui sition systems. The results of such security\nassessments should be reviewed, and Plans of Action and Mil estones should be developed for the\n\n\n                                                6\n\n\n\n\n                                                    61\n\n                         SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                                                                               Enclosure\n\n                                        OIG Draft Audit Responses\n      Evaluation of the United States Section, International Boundary and Water Commission (lBWC)\n                      Informalion Security Program (AUD/IT-XX-XX, October 2012)\n\n      improvement of the security control s of major systems, as required by National In stitute of\n      Standards and Techno logy Special Publication 800-53, Revision 3.\n\n      (SHU) Management concurs with the finding and recommendation: The IMD is in the\n      process of developing poli cies and procedures to assist in the fu ll implementation of an effective\n      continuous monitori ng program for its IT Systems. The IMD has received approval for a\n      permanent, part time empl oyee whose main responsibility will be many of the tasks required to\n      maintain a cont inuous monitoring program. Tasks identified include but are not limited to log\n      monitoring, vulnerabili ty scanning, detection of unauthorized devices and acting on results of\n      vulnerability scans in a timely manner. Additional duties will also include ensuring PoA&M\'s\n      include identified vulnerabilities based on monitoring results, maintaining change control\n      management documentation and conducti ng Security Test and Evaluations necessary for all\n      IBWC Systems (to include SCADA systems) to ensure regular evaluation of security controls.\n\n\n(b) (5)\n\n\n\n\n      (SH U) Man agem ent concurs with the finding and recommendation: The IMD is updating\n      existing COOP documentation to reflect significant changes to the environment and to enable\n      testing of the agency\'s di saster recovery solution. The US IBWC is also developing a Business\n      Impact Assessment to help identify and prioritize critical IT systems and components. A "warm"\n      disaster recover site will be implemented and existing backup infrastructure will be used as part\n      of the disaster recovery plan and enable the access of backup data directly to IBWC employees.\n      Testing of the disaster recovery plan with recently acqui red hardware and software is scheduled\n      for May 2013.\n\n\n      Recommendation 22:           DIG recommends that the I.ntemational Boundary and Water\n      Commission finalize the continuity of operations site and conduct testing for operational\n      effectiveness of all major systems, as required by National Institute of Standards and Technology\n      Special Publication 800-34, Revision l.\n\n      (SBU) Management concurs with the finding and recommendation : In September the IMD\n      awarded a contract to assist with the implementation of a VMWare and Cisco Virtualization\n      solution with Citrix for secure web access for a Disaster Recovery (DR) system at the Las Cruces\n      COOP site. This solution is to serve as a centralized source of backup hardware/software and\n      data to be shared across all US IBWC divisions and will enable accessed to authorized US IBWC\n      personnel during a disaster recovery.\n\n\n\n                                                       7\n\n\n\n\n                                                        62\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                                                                                       Enclosure\n\n                                 OIG Draft Audit Responses\nEva/uation of the United States Section, International Boundary and Water Commission (IBWC)\n                Information Secllrity Program (AUDIIT-XX-XX, October 20 12)\n\nAn analysis and needs assessment of the USIBWC network processes, system infrastructure, and\ndata capacity was completed, which defined the design requirements and framed the solution\noptions for developing and imp lementing an efficient DR system. The acquired solution will\ncreate an intuitive, interactive web-enabled service to assure data quality and integrity, and\nstreamline access to the USIBWC DR site.\nImplementation of DR system components is expected to be completed by Spring of2013 . Full\nDisaster Recovery tests are expected to be completed by May of201 3.\n\n\nH.ccommcnda tion 23:       OIG recommends that the International Boundary and Water\nCommission ensure that its lnfonnation Management Di vision is responsible for the oversight of\ninfonnation technology assets purchased and maintai ned by the contractor in support of\noperations at the wastewater treatment plant in San Diego, CA, as required by National Institute\nof Standards and Technology Special Publications (SP) 800-53, Revision 3, and SP 800-82.\n\n(SBU) Management concurs with the finding and recommendation: The IBWC has\nestablished mods to existing contracts with contracted personnel at the SBIWTP and is\ncurrently reviewing upgrade recommendations resulting from our on site assessment in early\n2012. There are existing meeting minutes that document their comp liance with the established\napproval process required by the IMD prior to the purchase of any technology assets. The\ncreation of policy and procedures detailing IBWC\'s oversight of systems operated by the\ncontractors will be developed for both the SCADA Veolia System to replace the existing\ncontractor developed policy and procedures. The SCADA system will undergo a major upgrade\nin 2013 to implement the security vulnerabilities IMD staff brought to their attention to include\nlack of password access to the SCADA system, physical access to SCADA and removing the\nconnection between the Veo li a and SCADA Systems.\n\n\nRecommendation 24:           OIG rccommends that the International Boundary and Water\nCommission OBWC) ensure that its lnfonnation Management Division reviews and approves\nsoftware prior to installation on ISWC assets, as required by National Institute of Standards and\nTechnology Special Publication 800-53 , Revi sion 3.\n\n(SBU) Management concurs with the finding and recommcndation: The currcntly proposcd\nsoftware upgnlde of the existing SBIWTP SCADA system is being reviewed prior to\nprocurement and is evidence that an approval process is in place. Mods to the existing contract\ncurrentl y reflect this change.\n\n\nReco mmendation 25: OIG recommends that the Chief Infonnation Officer ensure that all\ninformation technology assets are accounted for, reported and tracked, and used in the\ncalculation and reporting of Exhibit 300/Exhibit 53\'s to the Office of Management and Budget\n\n\n                                               8\n\n\n\n\n                                                   63\n\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                           SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                                                                          Enclosure\n\n                                 OIG Draft Audit Responses\nEvaluation of the United Slates Section, International Boundary and Water Commission (IBWC)\n                Information Security Program (AU D/IT-XX-XX , October 201 2)\n\neffectiveness of all major systems, as required by National Institute of Standards and Technology\nSpecial Publication 800-34, Revision 1.\n\n(U) Management concurs with the finding and recommendation: The USIBWC wi ll\nincorporate costs of IT assets in future budget submissions once all IT assets and system\ninventories are finali zed, consistent with OMB\'s guidance. Anticipate having this in place for\nthe FY 2015 budget submission.\n\n\nRecommendation 26: OIG recomm ends that International Boundary and Water Commi ssion\nfinalize its contractors\' suitability clearances, including fonna l clearance adjudication, and issue\nbadges, as requircd by Homeland Security Presidential Directive 12.\n\n(SHU) Management concurs with thc find ing and recommendation: The USIBWC has\ninitiated background investigations on all 21 contractors; 16 investigations have been completed\nand adjudicated. The remaining 2 investigations are still "open" pending completion of\ninvestigative leads. Eleven contractors have been issued appropriate credential s lAW HSPD- 12.\nThe remaining are pending appointments at credcntialing centers.\n\nRecommendation 27: OIG recommends that International Boundary and Watcr Commission\nensure that the adjudication process is completed for the infonnation technology employees\nundergoing background investigations.\n\n(U) Management concurs with the finding and recommendation: All IT personnel\nbackground investigations have been completed. Supporting documentation is not available for\nsubmission, but will be prepared to provide evidence during the next FISMA assessment or via\nvideoconference upon request.\n\nRecommendation 28:         OIG recommends that the International Boundary and Water\nCommission develop and impleme nt chain-of-custody procedures to control access to the\nproximity access cards and remote gate devices along the international border.\n\n(SHU) Management concurs with the finding and recommendation: The San Diego Field\nOffice Area Operations Manager has implemented an accountabi lity plan in coordination with\nthe Veolia Superintendant, which responds to necessary procedures and controls over proximity\naccess cards and remote gate devices . The Policy & Procedures has been updated and is in the\nprocess of being finalized.\n\nRecommendation 29:          010 recommends that the International Boundary and Water\nCommission develop and implement physical access control s to restrict access to the Supervisory\nControl and Data Acquisition contro l centers, Programmabl e Logic Controller, and file servers,\nas required by National Institute of Standards and Technology Special Publication 800-82.\n\n\n                                                 9\n\n\n\n\n                                                     64\n\n                           SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                                                                        Enclosure\n\n                                 OIG Draft Audit Responses\nEvaluation of the United States Section, Interna/ional Boundary and Water Commission (IBWC)\n                Information Security Program (AUD/IT-XX-XX, October 20 12)\n\n(SHU) Management concurs with the finding and recommendation : The current update to\nthe existing SCADA System at the SB IWTP is being evaluated to ensure that the items within\nthis recommendation are addressed to include the physical access, deficiencies and requirement\nof auto-l ocking screens for PLC and HMI interfaces throughout the plant. We anticipate having\nthe new security features and updated systems in place by September 2013.\n\nRecommendation 30:          DIG recommends that the International Boundary and Water\nConunission restrict access to file servers at its San Diego, CA, wastewater treatment plant, the\nfield offices in Fort Hancock, TX, and its headquarters in El Paso, TX, and ensure the servers are\nattached to the floor to prevent damage to equipment or hann to employees, as required by\nNational Institute of Standards and Technology Spec ial Publi cation 800-53, Revision 3.\n\n(SHU) Management concurs with the finding and recommendation: The current proposed\nupdate to the ex isting SCADA System at the SBlWTP is being evaluated to ensure that the items\nwithin th is recommendation are addressed to include the physical access to servers at the\nSBWlTP. The office at Ft. Hancock has had a half rack delivered and in sta lled restricting\naccess to network components installed there. The IBWC is currently finali zing a scope of work\nthat wi ll expand the IBWC LAN room, providing more suffi cient cool ing, allow for growth and\naddress the req uirement of having all server racks bolted to the floor to prevent damage to\nequipment or hann to empl oyees.\n\nRecommendation 30:          DIG recommends that the International Boundary and Water\nCommission detennine the most cost-effective protective measures to prevent fire and damage to\nfile servers, as required by National Institute of Standards and Technology Special Publication\n800-53, Revision 3.\n\n(U) MJ.tnagement co ncurs with the finding and recommend ation: An assessment of all\nIBWC server rooms will be conducted in early 20 13 to determine the most cost-effective\nprotective measures to prevent fire and damage to file servers.\n\n\n\n\n                                               10\n\n\n\n\n                                                 65\n\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                            SENSITIVE BUT UNCLASSIFIED\n\n\n\n                       (U) Major Contributors to This Report\n(U) Mr. Jerry Rainwaters, Division Director\nInformation Technology Division,\nOffice of Audits\n\n(U) Mr. Steve Matthews, Audit Manager\nInformation Technology Division,\nOffice of Audits\n\n(U) Ms. Dayo Onafowokan, Auditor-in-Charge\nInformation Technology Division,\nOffice of Audits\n\n(U) Ms. Jamie Horvath, Senior Auditor\nInformation Technology Division,\nOffice of Audits\n\n\n\n\n                                              66\n\n                            SENSITIVE BUT UNCLASSIFIED\n\x0c'